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The  existing  INFOCON  system  is  an  information  warning  system  that  the  DOD 
maintains.  It  is  not  formally  correlated  to  other  warning  systems,  such  as  DEFCON, 
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Advisory  System  Threat  condition.  The  criteria  for  each  INFOCON  level  are  subjective. 
The  INFOCON  recommended  actions  are  a  mix  of  policy  and  general  technical 
measures.  The  INFOCON  system  vaguely  follows  the  Defense  in  Depth  network  defense 
methodology. 

This  thesis  examines  the  foundations  for  the  existing  INFOCON  system  and 
presents  an  evolved  INFOCON  system.  The  focus  will  be  on  the  security  of  the  DOD 
information  infrastructure  and  the  accomplishment  of  the  mission,  as  well  as  the  usability 
and  the  standardization  of  the  INFOCON  warning  system.  The  end  result  is  a  prototype 
that  is  a  set  of  predefined  escalation  scripts  for  the  evolved  INFOCON  system’s 
safeguard  measures. 
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I.  INTRODUCTION 


A,  BACKGROUND 

The  Department  of  Defense  (DOD)  eommissioned  researeh  in  the  1960’s  into 
developing  new  eleetromagnetie  pulse  (BMP)  proof  networking  teehnology.  The 
researeh  beeame  known  as  the  ARPANET,  beeause  the  projeet  was  funded  by  the 
Advaneed  Researeh  Projeets  Agency.  The  ARPANET  grew  to  connect  military  agencies, 
universities,  and  national  laboratories.  When  the  Transmission  Control  Protocol  (TCP) 
and  Internet  Protocol  (IP)  were  adopted  for  the  ARPANET,  several  common  terms  were 
formed.  An  internet  is  a  set  of  TCP/IP  connected  networks.  The  proper  noun  name 
Internet  (with  capital  ‘i’)  was  coined  for  the  ARPANET  to  describe  the  connected 
TCP/IP  internets.  [PU03,  ZAO  I,  GMOI] 

It  wasn’t  until  1984  that  computer  viruses  were  seen  as  a  potential  widespread 
problem  for  the  Internet.  The  first  large-scale  attack  against  computers  connected  to  the 
Internet  was  the  “Internet  worm”  that  was  launched  in  1988.  So,  before  the  first 
commercial  provider  of  Internet  (not  the  ARPANET) i  dial-up  access  went  on-line  in 
1990,  there  had  already  been  attacks  against  computers  on  the  Internet.  By  1995, 
traditional,  online,  dial-up  services,  such  as  America  Online  and  Prodigy,  began  to 
provide  Internet  access.  [PU03,  ZAOI,  GMOI] 

In  a  report  in  1996,  the  Defense  Science  Board  identified  a  need  for  structured 
responses  to  attacks  on  the  Nation's  information  infrastructure.  That  same  year 
Information  Assurance  (I A)  was  defined  as: 

Information  Operations  that  protect  and  defend  information  systems  by 
ensuring  their  availability,  integrity,  authentication,  confidentiality,  and 
non-repudiation.  This  includes  providing  for  the  restoration  of 
information  systems  by  incorporating  protection,  detection,  and  reaction 
capabilities.  [CNOl] 

Information  Operations  are  the  actions  taken  to  affect  an  adversary’s  information 
and  Information  Systems  (IS)  while  defending  one’s  own  information  and 
Information  Systems.  [CNOI,  DE02] 

1  Dial  up  networks  that  provided  limited  aeeess  to  the  ARPANET  were  available  in  the  1970’s.[DI02] 
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The  Information  Operations  Condition  (INFOCON)  system  was  implemented  in 
1999.  It  reeommends  aetions  and  raises  the  awareness  and  information  assuranee 
standards  to  the  appropriate  level  of  readiness  to  meet  expected  cyber  threats  and  attacks 
against  the  DOD  information  infrastructure  (DII).  This  infrastructure  includes  computer 
and  telecommunications  networks  and  systems.  The  INFOCON  system  provides  a 
hierarchy  of  protection  profiles  that  should  be  implemented  to  defend  networks.  [KEOl, 
RA02].  These  are  not  the  same  INFOCON  levels  as  those  from  the  SANS  Institute.2 
[SYOl] 

B,  PURPOSE  OF  STUDY 

1,  Scope  and  Assumptions 

This  thesis  will  assess  the  existing  INFOCON  levels  to  ascertain  the  specific 
threats  indicated  by  each,  then  proceed  to  and  define  a  set  of  security  safeguards  that  are 
appropriate  threat-mitigation  responses  for  each  of  the  threat  levels.  A  prototype,  proof- 
of-concept  set  of  configuration  scripts  will  be  developed  shown  that  effect  the  set  of 
safeguards  by  modifying  the  security  profile  of  three  network/networked  devices/tools 
(e.g.,  change  a  gateway  router’s  filter  rule-set,  change  the  auditing  granularity  that  the 
Syslog  server  receives,  or  have  a  switch  block  specific  port).  The  groundwork  laid  by  this 
thesis  could  potentially  lead  to  additional  research  that,  in  turn  would  leads  to  a  dynamic 
implementation  of  a  Quality  of  Security  Service  (QoSS)  architecture.  This  thesis  will 
make  no  attempt  to  create  an  artificially  intelligent  agent  that  will  automatically  control 
the  entire  process  of  detecting  threats  and  reconfiguring  the  network’s  defensive  posture 
in  real-time;  nor  will  there  be  a  comprehensive  protection  mechanism  developed. 

This  research  will  define  sets  of  network  security  safeguard  measures  that  are 
appropriate  to  counter  the  explicit  and  implicit  threats  posed  by  each  of  the  existing 
INFOCON  threat  levels.  The  research  will  develop  a  proof-of-concept  set  of 
configuration  scripts  that  alter  the  defensive  security  posture  of  2-3  network/networked 
devices/services  (e.g.,  router,  server,  switch). 


2  For  detailed  information  regarding  SANS  Infoeon,  please  visit  http://ise.sans.org/  (February  2004)  or 
http://www.sans.org  (February  2004). 
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2,  Research  Questions 

This  thesis  will  answer  the  following  questions. 

•  How  are  the  INFOCON  levels  defined? 

o  By  the  pereeived  threat? 
o  By  what  that  threat  is  direeted  against? 
o  By  mitigation  response  measures? 

•  How  are  the  INFOCON  levels  demarcated? 

o  What  criteria  constitutes  the  “cutoff’  between  each  layer? 
o  Is  there  a  common  “theme”  to  each  layer  that  could  be  leveraged  when 
choosing  the  appropriate  set  of  safeguard  techniques  to  apply? 

•  What  is  the  current  landscape  of  network  defense  methodologies? 

o  Is  it  predominantly  ad-hoc,  or  is  there  a  pre-defined  escalation  approach? 
o  What  defense  mechanisms,  if  any,  lend  themselves  to  an  automated 
invocation  and/or  re-configuration? 

•  What  is  the  appropriate  tactical  response  to  each  of  the  INFOCON 
levels? 

•  What  security-implementing  devices/services  would  make  good 
candidates  for  implementing  the  security  scripts? 

•  Can  the  safeguard  scripts  he  centrally  managed? 


C.  ORGANIZATION  OF  PAPER 

1.  Characterization  of  Existing  Warning  Systems 

Some  of  the  existing  warning  systems  and  their  relationship  to  each  other  and  the 
INFOCON  system  will  be  discussed. 

2.  Analysis  of  Existing  INFOCON  Systems 

The  INFOCON  levels  will  be  analyzed  to  characterize  each  level  and  determine 
the  method  of  demarcation.  The  relationship  among  some  of  the  existing  warning 
systems,  to  include  the  INFOCON,  will  also  be  analyzed. 

3.  Analysis  of  Network  Defense  Methodologies 

Defense  methodologies  currently  in  existence  will  be  analyzed  with  particular 
emphasis  being  given  to  those  methodologies  specific  to  the  DOD. 

4.  Recommendations 

Define  an  evolutionary  INFOCON  system  that  satisfies  the  goal  of  the  existing 
INFOCON  system.  The  new  INFOCON  system  should  improve  usability,  feasibility, 
and  the  security  of  the  DOD  information  infrastructure.  The  safeguard  measures  that  are 
presented  should  be  specific,  technical,  and  feasible.  The  measures  will  be  roughly 
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categorized  by  their  funetional  area.  In  eaeh  area,  the  safeguard  measures  will  be  mapped 
to  the  devices/tools  which  will  implement  them.  The  criteria  for  selecting  the  prototype 
devices/tools  will  be  discussed.  The  devices  will  inelude  a  gateway  router,  a  managed 
switch,  and  a  Syslog  server. 

5.  Development  of  Safeguard  Measures  Scripts 

For  each  device/service,  a  safeguard  script  will  be  developed  for  each  of  the 
suggested  INFOCON  threat  levels  that  effects  the  suggested  safeguard  measures  for  that 
level. 

6,  Conclusions 

Summarize  the  evolved  INFOCON  system  and  its  benefits.  Present  the 
conclusions,  including  the  feasibility  of  the  evolved  system  and  any  future  work.  The 
research  questions  will  be  answered. 
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II.  CHARACTERIZATION  OF  EXISTING  WARNING  SYSTEMS 


There  are  many  warning  systems  in  existenee  in  the  United  States  and  the  world. 
Most  of  these  were  ereated  and  used  by  United  States  Government  organizations.  The 
information  revolution  has  caused  the  corporate  sector  to  create  their  own  information 
warning  systems  as  well.  This  chapter  will  only  cover  those  systems  that  should  directly 
relate  to,  or  influence,  the  protection  of  information  that  falls  under  the  purview  of  the 
U.S.  Government;  with  an  added  focus  on  DOD-specific  warning  systems.  [ADOl,  FAOl, 
FA02,  RAOl,  RA02,  USOl,  WEOl] 

A,  INFOCON 

The  INFOCON  system  is  a  defensive  warning  system  for  the  DOD  based  on 
military  operations,  the  intelligence  assessment  of  adversary  capabilities  and  intent, 
information  network  indicators,  and  the  status  of  information  systems. 3  It  is  a  system  of 
progressive  levels  of  the  probability  of  attack  and  its  impact  to  military  operations.  The 
corresponding  response  measures  are  mostly  reactionary.  They  are  meant  to  include 
preventive  actions,  reactive  actions  taken  during  an  attack,  and  mitigating,  damage 
control  actions.  Reactive  actions  during  the  attack  would  be  those  to  stop  an  attack, 
where  as  mitigating  actions  are  actions  to  limit  or  reverse  damage  to  the  system.  [LUOl, 
OFOl,  RAOl,  RA02,  USOl,  WEOl] 

There  are  five  INFOCON  levels.  The  range  from  lowest  to  highest  is  Normal 
through  Delta.  Each  level  has  criteria.  One  or  more  of  the  criterion  of  that  level  must  be 
met  to  substanstiate  a  change  to  that  level.  The  criteria  for  each  level  are  broad  guidance 
to  consider,  not  firm  rules.  Also,  each  level  has  recommended  actions,  which  are  the 
response  measures  to  the  expected  threat.  The  system  is  maintained  by  the  Joint  Task 
Force  for  Computer  Network  Operations  (JTF-CNO).  The  criteria,  recommended 
actions,  authority,  applicability,  and  procedures  are  detailed  further  in  Chapter  3.  [LUOl, 
OFOl,  RAOl,  RA02,  USOl] 

Spor  more  information  please  visit  http://2Q7.133.2Q9.84/amc/ci/matrix/documents/cics  level/eies- 
infocon.pdf  Febmary  2QQ4. 
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INFOCON 


Figure  1.  INFOCON  Levels. 


B.  SANS  INFOCON 

The  SysAdmin,  Audit,  Network,  Security  (SANS)  Institute  maintains  its  own 
INFOCON  system  in  conjunction  with  its  Internet  Storm  Center.4  This  system  is 
intended  to  indicate  the  condition  of  the  Internet  infrastructure,  not  monitor  particular 
nations  or  companies. 5  It  reflects  changes  in  malicious  traffic  and  the  possibility  of 
connectivity  disruption.  [SANSOO] 

There  are  four  levels  in  this  system,  indicated  by  color.  The  lowest  level  is  green, 
indicating  and  the  situation  is  normal  with  no  known  threats.  The  next  level  is  yellow, 
indicating  that  SANS  is  tracking  a  significant  new  threat  whose  impact  is  not  known  or  is 
expected  to  be  minor  to  the  Internet  infrastructure.  At  this  level,  SANS  advises  users  to 
take  immediate  action  to  contain  the  impact.  Orange  is  the  next  level  and  indicates  that  a 
major  disruption  in  Internet  connectivity  is  imminent  or  in  progress,  but  there  is  no  action 
specified  by  SANS.  The  highest  level,  red,  indicates  a  loss  of  connectivity  across  a  large 
part  of  the  Internet  infrastructure,  but  again,  with  no  remedial  action  specified  by  SANS. 
[SANSOO] 

4  For  detailed  information  regarding  SANS  Infocon,  please  visit  http://isc.sans.org/  (February  2004)  or 
http://www.sans.org  (February  2004) 

5  For  information  regarding  the  authority,  applicability,  and  procedures  please  visit 
http://isc.sans.org/about.html  (Febmary  2004) 
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C.  FPCON/THREATCON 

1.  THREATCON 

THREATCON  is  the  acronym  for  the  terrorist  threat  condition.6  It  is  a 
standardized  system  of  threat  conditions  that  describes  five  progressive  levels  of 
protective  measures  implemented  by  the  DOD  in  response  to  terrorist  threats  to  all  U.S. 
Military  personnel  and  facilities.  This  is  not  the  ThreatCon  as  defined  by  Symantec 
Corporation.  Because  of  the  confusion  with  the  Department  of  State’s  Threat  Levels,  the 
name  THREATCON  was  replaced  by  EPCON  in  Jun  2001.  [ADOl,  ANOl,  DIOl, 
DOD02,  EUOl,  EAOl,  ST03,  USOl,  US02,  WEOl] 

2.  FPCON 

EPCON  is  the  acronym  for  the  force  protection  condition.  Though  the  name 
changed  from  THREATCON,  the  system,  individual  classifications  and  measures  remain 
the  same. 78  The  EPCON  system  has  five  levels.  Incidentally,  the  levels  have  the  same 
names  as  the  INEOCON  levels.  The  levels  are  Normal,  Alpha,  Bravo,  Charlie,  and  Delta. 
The  measures  for  the  levels,  also  like  the  INFOCON  level  recommended  actions,  build 
upon  the  prior  level.  [ANOl,  DIOl,  DOD02,  DT02,  EUOl,  EAOl,  ST03,  USOl,  US02, 
WEOl] 


6  For  more  details:  http://www.fas.org/irp/doddir/dod/app-J  TFlREATCON.htm  (February  2004) 

7  Please  see  http://www.angelflre.com/ca7/Securitv/threatcoti.html  (February  2004)  for  more  details 

8  Please  see  http://www.dtic.miFwhs/directives/corres/pdf/d200012  081803/d200012p.pdf  (Febmary 
2004)  for  more  details  on  applicability,  authority,  and  procedures. 
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FPCON 


Figure  2.  FPCON  Levels. 

The  FPCON  Normal  level  is  indicated  when  there  is  no  discernable  terrorist 
activity.  Because  there  always  exists  a  general  threat  of  possible  terrorist  activity,  a 
routine  security  posture  is  warranted.  Its  recommended  actions  are  to  secure  areas  when 
not  in  use,  maintain  positive  control  of  identification,  and  be  aware  of  local  anti- 
government  demonstrations.  [ANOl,  EUOl,  DOD02,  FAOl,  JOOl,  ST03,  US02,  WEOl] 

If  the  threat  of  terrorist  attack  is  low,  meaning  there  are  general,  nonspecific 
threats  of  terrorist  activity  against  personnel  and/or  facilities  of  unpredictable  nature  and 
unknown  extent,  then  EPCON  level  Alpha  is  indicated.  This  level  must  be  maintainable 
indefinitely  with  only  limited  impact  on  operations.  Though  the  circumstances  don’t 
justify  full  implementation  of  EPCON  Bravo,  it  may  be  necessary  to  implement  certain 
measures  from  higher  EPCON  levels  as  a  deterrent  or  because  of  intelligence  received. 
See  Appendix  D,  FPCON,  for  the  complete  listing  of  recommended  actions  for  this  level. 
[ANOl,  EUOl,  DOD02,  FAOl,  JOOl,  ST03,  US02,  WEOl] 

EPCON  Bravo  is  indicated  when  an  increased  and  more  predictable  threat  of 
terrorist  activity  exists,  but  no  specific  threat  has  been  identified.  This  level’s 
recommended  measures  must  be  maintainable  for  several  weeks  without  substantially 
affecting  operational  capabilities,  causing  undue  hardship  to  personnel,  or  aggravating 
relations  with  local  authorities,  members  of  the  local  civilian,  or  host  nation  community. 
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See  Appendix  D,  FPCON,  for  the  eomplete  listing  of  recommended  actions  for  this  level. 
[ANOl,  EUOl,  DOD02,  FAOl,  JOOl,  ST03,  US02,  WEOl] 

The  next  level,  FPCON  Charlie,  is  indicated  when  intelligence  indicates  that  a 
threat  action  against  personnel  and  facilities  is  imminent  or  an  incident  has  occurred.  If 
Charlie’s  recommended  measures  are  implemented  for  more  than  a  short  duration,  then 
hardships  will  probably  be  created  and  peacetime  activities  for  personnel  and  units  will 
be  affected.  [ANOl,  EUOl,  DOD02,  EAOl,  JOOl,  ST03,  US02,  WEOl] 

Finally,  FPCON  Delta  is  indicated  in  the  immediate  area  when  intelligence 
indicates  terrorist  action  against  a  specific  location  or  person  is  likely  or  when  a  threat 
attack  has  occurred.  The  implementation  of  FPCON  Delta  is  normally  for  only  limited 
duration  over  specific,  localized  areas.  This  condition  will  cause  significant  personnel 
hardships  and  substantial  peacetime  mission  capability  reduction  if  sustained  for 
extended  durations.  [ANOl,  EUOl,  DOD02,  FAOl,  JOOl,  ST03,  US02,  WEOl] 

D.  HSAS  THREAT  CONDITIONS 

The  Homeland  Security  Advisory  System,  HSAS,  is  a  product  of  the  newly 
formed  Department  of  Homeland  Security  (DHS).9  It  provides  a  nationwide, 
comprehensive,  effective  means  of  disseminating  information  regarding  the  risk  of 
terrorist  acts.  It  provides  warnings  using  the  graduated  Threat  Conditions,  which  that 
increase  as  the  risk  of  the  threat  increases.  Each  Threat  Condition  has  a  corresponding 
set  of  Protective  Measures.  These  Protective  Measures  are  in  addition  to  each  agency’s 
or  department’s  specific  measures.  Federal  agencies  and  departments  implement  the 
corresponding  Protective  Measures  to  best  reduce  their  vulnerability  or  increase  their 
response  capability  for  the  indicated  threat  level.  The  Threat  Conditions  are  assigned  by 
the  Attorney  General  of  the  United  States  of  America  in  consultation  with  the  Assistant  to 
the  President  for  Homeland  Security.  The  DHS  directive  that  describes  the  HSAS  may 
be  found  in  Appendix  E,  Homeland  Security  Advisory  System,  lo  [WHOl] 


9  For  more  information,  see  http://www.dhs.gov/dhspublic/  (February  2004) 

Id  The  authority,  applicability,  and  procedures  for  the  FISAS  ThreatCon  can  be  found  in  Appendix  E. 


9 


There  are  also  five  HSAS  Threat  Conditions.  Higher  threat  eonditions  indicate 
both  a  higher  likelihood  of  attack,  in  addition  to  an  expectation  of  greater  severity  per 
attack.  Each  Threat  Condition  is  identified  by  a  descriptor  and  corresponding  color. 
[WHOl] 

The  lowest  Threat  Condition  is  Low,  which  is  represented  by  the  color  green.  It 
is  declared  when  there  is  a  low  risk  of  terrorist  attacks.  The  next  level  is  Guarded  and  it  is 
represented  by  the  color  blue.  The  Guarded  condition  is  declared  when  there  is  a  general 
risk  of  terrorist  attacks.  It  is  followed  by  Elevated,  which  is  represented  by  the  color 
yellow.  This  condition  is  declared  when  there  is  a  significant  risk  of  terrorist  attacks. 
The  level  High,  is  the  second  highest  level  .and  is  represent  by  the  color  orange.  A  High 
condition  is  declared  when  there  is  a  high  risk  of  terrorist  attacks.  Einally,  the  highest 
level.  Severe,  is  represented  by  the  color  red.  It  reflects  a  severe  risk  of  terrorist  attacks. 
This  level’s  protective  measures  aren’t  intended  to  be  sustained  for  substantial  durations 
of  time.  [WHOl] 
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E.  DEFCON 

DEFCON  is  the  acronym  for  Defense  Readiness  Condition.  This  system 
describes  progressive  alert  postures,  which  are  primarily  used  by  the  Joint  Chiefs  of  Staff 
and  the  commanders  of  unified  commands,  n  These  conditions  are  phased  increases  in 
combat  readiness.  They  are  graduated  to  match  situations  of  varying  military  severity. 
[FA02,  SCOl,  ST03] 

There  are  five  DEFCON  levels,  from  1  to  5.  The  lowest  is  DEFCON  5,  which  is 
normal,  peacetime  readiness.  DEFCON  4  is  normal,  peacetime  readiness,  but  with 
increased  intelligence  and  strengthened  security  measures.  An  increase  in  force  readiness 
above  normal  readiness  is  implemented  at  DEFCON  3.  A  further  increase  in  force 
readiness  that  is  less  than  the  maximum  readiness  is  set  at  DEFCON  2.  The  maximum 
force  readiness  is  DEFCON  1.  [FA02,  SCOl,  ST03] 


F.  WATCHCONS 

These  are  classified  warning  systems  from  the  intelligence  communities.  12  These 
systems  will  only  receive  cursory  coverage  here  due  to  the  classified  nature  of  their 
domain.  Both  systems  have  five  levels.  The  level  descriptions  are  1  to  5.  WATCHCON 
5  is  normal  conditions  without  any  unusual  military  movements.  Fevel  4  of  the 
WATCHCON  is  normal  conditions  with  a  potential  threat  that  requires  continued 
surveillance.  There  is  a  concern  for  an  increased  threat  against  the  national  security  at 
WATCHCON  3.  Signs  of  eminent  danger  and  significant  threat  to  national  interest  are 
WATCHCON  2.  WATCHCON  1  is  a  clear  immediate  threat  of  enemy  attack.  [GFOl, 
IE01,KE01,KE02] 

1.  WATCHCON 

The  Watch  Condition,  or  WATCHCON,  system  is  a  defensive  warning  system 
based  on  the  intelligence  community’s  degree  of  concern  regarding  a  particular  warning 
issue.  [KE01,KE02,RA02] 

1  IPlease  see  http://www.fas.org/nuke/guide/usa/e3i/defeon.htm  (February  2004)  for  more  information 
for  more  information.  Minimal  information  found  on  authority,  applieability,  and  proeedures. 

12  No  infomiation  eould  be  found  regarding  the  authority,  applieability,  and  proeedures  for  the 
WATCHCONs. 
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2.  CNA-WATCHCON 

The  Computer  Network  Attack  Watch  Condition,  or  CNA-WATCHCON,  system 
is  another  warning  system  based  on  assessment  of  intelligence  that  includes  the  overall 
political  situation  and  the  CNA  threat  levels.  [KEOl,  KE02,  RA02] 


G.  RELATIONSHIPS  AMONG  THE  WARNING  SYSTEMS 

Each  of  the  systems  discussed,  are  systems  currently  in  use  in  the  United  States. 
The  FPCON  levels  represent  the  defensive  condition  of  the  United  States  military  and  its 
assets  abroad.  The  Homeland  Security  Advisory  System  represents  the  preparedness  and 
readiness  of  the  United  States  against  the  terrorist  threat.  The  DEFCON  levels  represent 
the  United  States’  military  preparedness  for  the  likelihood  of  war.  The  WATCHCONs 
represent  the  intelligence  community’s  concern  regarding  a  specific  problem  in  the 
world.  The  SANS  INFOCON  represents  the  condition  of  the  world’s  Internet 
infrastructure.  The  INFOCON  levels  represent  the  United  States  Department  of 
Defense’s  preparedness  and  readiness  for  the  intentional  disruption  of  DOD  information 
systems.  [FA02,  NA02,  NA04,  RAOl,  RA02,  SCOl,  WEOl] 


All  of  the  systems  are  roughly  analogous.  Each  is  defined  by  one  or  more 
combinations  of:  an  assessed  threat,  the  capability  to  implement  the  necessary  protective 
measures,  and  the  overall  risk  to  the  organizations. 

Does  one  system  influence  another?  It  would  be  assumed  that  each  affects  the 
others  because  all  of  the  systems  relate  to  very  broad  factors  that  contribute  to  the  all- 
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around  defensive  preparedness  of  the  United  States.  Thus,  all  of  the  more  general 
eoverage  warning  systems  should  have  some  form  of  impaet  on  the  more  speeifie 
INFOCON  level:  more  speeifie  beeause  it  addresses  threats  speeifieally  to  information. 
The  inverse  does  not  hold  true;  i.e.,  the  INFOCON  level  would  not  always  be  expeeted  to 
infiuenee  the  other  systems.  This  beeause  some  of  the  other  warning  systems  are  foeused 
on  their  speeifie  task  and  the  INFOCON  doesn’t  fall  into  that  task.  This  thesis  is 
interested  in  what  drives  the  INFOCON  level,  so  as  to  better  define  the  appropriate 
measures  for  eaeh  level.  [FA02,  NA02,  RAOl,  RA02,  SCOl,  WEOl] 


Figure  5.  Colleetive  Stimulus  of  Warning  Systems  on  the  INFOCON  System. 

The  FPCON  and  HSAS  Threat  Condition  levels  are  both  defined  by  terrorist 
threats  and  aetivity,  whieh  that  should  link  the  two  systems  elosely  together.  Also, 
beeause  the  HSAS  is  nationwide  and  the  FPCON  is  a  DOD  warning  system,  HSAS 
should  influenee  the  FPCON  level.  Or,  the  FPCON  should  infiuenee  the  HSAS  beeause 
the  FPCON  level  eovers  the  US  and  its  assets  aboard  while  HSAS  only  eovers  the  US. 
Neither  seems  to  be  the  ease. 

The  original  INFOCON  doeumentation  states  that  the  THREATCON,  now 
EPCON,  may  impaet  the  INFOCON  level.  Currently,  the  JTF-CNO  doesn’t  suggest  that 
either  the  FPCON  or  the  HSAS  impaet  the  INFOCON.  This  may  be  beeause  terrorists 
haven’t,  as  far  as  we  know,  yet  resorted  to  eyber  terrorism. 

The  FPCON  and  DEFCON  systems  are  both  indieators  of  the  world  situation. 
The  DEFCON  levels  represent  our  likelihood  of  going  to  war.  This  is  one  system  that 
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should  influence  the  INFOCON  level,  because  if  war  is  imminent  or  occurring  our 
information  systems  should  employ  greater  protective  measures  in  expectation  that  the 
enemy  will  be  targeting  them  with  any  means  at  their  disposal.  Though,  at  DEFCON  1, 
there  may  be  some  situations  that  require  no  addition  protective  measures  be  in  place  in 
order  to  accomplish  the  mission.  The  original  INFOCON  document  states  that  DEFCON 
may  impact  the  INFOCON  level.  However,  the  JTF-CNO  discourages  correlation 
between  the  DEFCON  level  and  the  INFOCON  level.  [ST02] 

There  is  no  correlation  between  any  of  the  governmental  warning  systems  and  the 
SANS  INFOCON  system. 

The  intelligence  community’s  level  of  concern,  which  is  represented  by 
WATCHCON  and  CNA-WATCHCON  systems,  seems  to  be  the  one  warning  system  that 
has  a  direct  correlation  to  the  INFOCON.  Intelligence  assessments  from  the 
WATCHCONs  are  in  the  criteria  for  the  INFOCON  levels.  In  fact,  the  WATCHCONs 
seem  to  have  influence  on  all  of  other  the  warning  systems.  This  makes  sense,  because 
all  of  the  warning  systems  have  an  intelligence  assessment  component. 

This  relationship  among  the  various  threat  systems  is  presented  in  Figure  6.  This 
figure  highlights  both  the  comprehensive  coverage  of  the  WATCHCON  systems,  in 
addition  to  the  overlapping,  cross-influential  relationships  among  the  remaining  systems. 
Of  particular  import  to  this  thesis  is  the  notion  that  the  INFOCON  levels  are  influenced  to 
some  degree  by  the  Nation’s  other  governmental  threat  level  systems. 


Figure  6.  WATCHCONs  influence  on  other  warning  systems. 
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III.  ANALYSIS  OF  EXISTING  INFOCON  SYSTEM 


Before  analyzing  the  INFOCON  System,  the  four  assumptions  made  by  its 
drafters  should  be  presented.  These  assumptions  are  explieitly  expressed  as  sueh  in  the 
original  INFOCON  doeumentation.  First  among  these  assumptions  is  the  belief  that  a 
successful  intrusion  in  one  network  may  facilitate  access  to  another  network,  so  it  is 
assumed  that  a  risk  assumed  by  one  is  a  risk  that  may  eventually  be  “shared”  by  all.  The 
methods  employed  by  increasingly  more  sophisticated  attackers  are  more  problematic  to 
detect.  Thus,  it  is  another  assumption  that  the  protective  measures  must  be  planned, 
exercised,  and  executed  in  advance  of  an  attack.  That  the  anonymous  nature  of  an 
attacker  must  not  hinder  the  execution  of  defensive  strategies  and  tactics  is  another 
assumption.  Similarly;  that  an  incident  that  could  be  an  attack,  system  anomaly,  or 
operator  error,  should  be  characterized  as  malicious  until  assessed  otherwise  is  the  final 
assumption.  [LUOl,  OFOl,  RA02] 

There  are  several  places  that  indications  and  warning  are  mentioned  in  the 
criteria.  These  are  the  indications  and  warning  for  Information  Operations  from  the 
CNA-WATCHCON.  CNA  intelligence  assessments,  specific  criteria,  and  procedures 
are  classified  SECRET  or  higher,  so  no  further  detail  about  them  will  be  discussed  in  this 
thesis..  [DE03,  RA02] 

The  purpose  of  the  INEOCON  is  to  recommend  actions  that  uniformly  heighten  or 
reduce  the  DOD  defensive  posture,  to  defend  against  CNA,  and  to  mitigate  sustained 
damage  to  the  DOD  information  infrastructure.  There  are  five  INEOCON  levels.  The 
range  from  lowest  to  highest  is  Normal  through  Delta.  Each  level  has  criteria.  Any  of 
the  level’s  criterion  can  be  met  to  justify  elevation  to  that  level.  The  criteria  for  each 
level  are  broad  guidance  to  consider,  not  firm  rules.  [EUOl,  OFOl,  RA02] 


A,  AUTHORITY 

This  system  was  established  by  the  Secretary  of  Defense.  Initially,  it  was 
administered  through  the  Director  for  Operations,  Joint  Staff  (J-3).  It  is  currently 
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administered  by  the  Commander,  Joint  Task  Foree  for  Computer  Network  Defense  (JTF- 
CND).  The  JTF-CNO  is  the  offiee  that  is  currently  tasked  with  updating/reworking  the 
INFOCON  system. 


B,  APPLICABILITY/SCOPE 

The  INFOCON  system  is  used  throughout  the  Department  of  Defense,  all  over  the 
world.  This  includes  the  Joint  Staff,  Services,  combatant  commands,  and  Defense 
agencies.  The  INFOCON  system  applies  in  both  peacetime  and  war.  All  commands  and 
support  agencies  must  develop  procedures  specific  to  their  command/agency  in  addition 
to  those  already  recommended.  Procedures  developed  are  propagated  downwards. 
[RA02] 


C.  PROCEDURES 

There  are  two  sets  of  procedures  to  consider.  Why  the  INFOCON  level  changes  is 
in  the  procedures  on  how  to  determine  the  INFOCON  level,  and  Who  can  make  changes 
to  the  INFOCON  level  is  in  the  procedures  for  declaring  the  INFOCON  level. 

1,  Determining  the  INFOCON 

The  INFOCON  level  is  based  on  significant  changes  to  operational,  technical, 
and/or  intelligence  factors.  These  factors  are  further  detailed  in  Section  3-D,  the  analysis 
of  the  criteria.  The  JTF-CNO  assimilates  and  evaluates  information  to  assess  the  CND 
situation  DOD-wide.  Commanders  must  assess  the  situation  and  establish  the  proper 
INFOCON  based  on  the  evaluation  of  all  relevant  factors.  [RA02] 

2,  Declaring  the  INFOCON 

The  INFOCON  is  set  for  the  DOD  by  the  Secretary  of  Defense  (SecDef).  The 
JTF-CNO  recommends  the  changes  through  the  Chairman  of  the  Joint  Chiefs  of  Staff 
(CJCS)  to  the  SecDef,  who  may  further  delegate  declaration  authority  to  the  JTF-CND. 
All  commands  and  agencies  may  change  their  organization’s  INFOCON  level,  but  they 
must  remain  at  an  INFOCON  level  that  is  no  less  than  the  INFOCON  directed  by  SecDef 
or  the  CJCS.  [RA02] 
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D,  ANALYSIS  OF  EACH  INFOCON  LEVEL  CRITERIA 

1.  Normal 

The  lowest  INFOCON  level  is  Normal  and  it  indicates  normal  activity.  The  only 
criteria  for  maintaining  this  level  is  that  there  is  no  significant  probability  of  attack 
against  the  network.  The  existing  INFOCON  doesn’t  require  a  specific  tools  or  devices 
to  secure  the  network.  [LUOl,  RA02] 

2.  Alpha 

The  next  level,  Alpha,  indicates  an  increased  probability  of  attack.  The  primary 
consideration,  per  the  JTF-CND,  is  to  consider  if  there  is  any  planned  or  ongoing  military 
operation,  contingency  or  exercise  that  requires  increased  security  of  information 
systems.  The  next,  item  to  consider  is  if  whether  the  CNA  intelligence  indications  and 
warnings  (I&W)  indicate  a  general  threat.  Any  detected  network  scans,  probes,  or  other 
activities  indicating  a  pattern  of  surveillance  would  be  the  next  consideration.  Regional 
events  that  affect  US  interests  and  that  involve  potential  adversaries  with  suspected  or 
known  CNA  capability  would  be  the  final  indication  to  elevate  to  the  Alpha  level. 
[LU01,RA02] 

3.  Bravo 

The  Bravo  level  indicates  a  specific  probability  of  attack.  A  planned  or  ongoing 
major  military  operation  or  contingency  would  be  the  first  criteria  to  consider.  This 
would  be  followed  by  any  CNA  intelligence  I&W  indicating  the  specific  targeting  of 
systems,  locations,  units,  or  operations.  The  network  consideration  would  be  a 
significant  level  of  network  probes,  scans,  or  activities  detected  indicating  a  pattern  of 
concentrated  reconnaissance  activities.  The  final  consideration  would  be  any  attempted 
network  penetration  or  Denial  of  Service  (DoS)  that  has  no  current  or  expected  impact  on 
DOD  operations.  [LU01,RA02] 

4.  Charlie 

The  occurrence  of  limited  attacks  indicates  Charlie  level.  There  are  two  main 
criteria.  The  intelligence  assessment(s)  indicating  a  limited  attack  is  the  proactive 
criterion.  The  other  criterion  is  the  detected  attack(s)  on  information  systems  with 
limited  impact  to  DOD  operations.  Limited  impact  is  defined  as  minimal  success  of  the 
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attacker  and  the  attack  successfully  eounteracted,  little  or  no  data  or  systems 
eompromised,  or  the  unit  is  able  to  aeeomplish  its  mission.  [LUOl,  RA02] 

5.  Delta 

The  highest  level,  Delta,  indieates  the  oeeurrenee  of  general  attaeks.  It  has  two 
eriterion  to  eonsider,  both  of  whieh  have  to  do  with  the  impaet  of  ineidents.  The 
deteeted,  sueeessful  attaek(s)  on  information  systems  that  impaet  DOD  operations  is  one 
eriterion.  The  other  is  widespread  ineidents  that  undermine  the  ability  of  the  unit  to 
funetion  effeetively  eausing  a  signifioant  risk  of  mission  failure.  [LUOl,  RA02] 

6,  Summary 

At  eaeh  level  there  are  four  eonsiderations  to  be  taken  in  order  of  inereasing 
signifioanee  per  the  JTF-CNO.  First,  any  planned  or  ongoing  military  operation(s)  is  the 
eriterion  with  the  greatest  signifieanee.  Any  intelligenee  I&W  is  the  next  eonsideration 
in  signiHeanee.  Deteeted  network  aetivities  indieating  reconnaissanee  or  attaek  is  the 
seeond  lowest  item  of  signifioanee.  Interestingly,  the  impaet  of  a  CNA  is  the  least 
significant  criterion,  but  it  is  the  only  eriterion  for  the  highest  INFOCON  level.  [LUOl, 
RA02] 

These  four  eonsiderations  fall  into  three  broad  oategories  of  or  factors  that 
influence  the  INFOCON  level.  These  oategories  are  operational,  teohnioal,  and 
intelligence.  The  intelligenee  oategory  inoludes  suoh  areas  as  US  CNA  intelligenee, 
foreign  intelligence,  and  law  enforcement  intelligenee.  Signifioant  ohanges  in  one  or 
more  of  the  three  oategories  is  the  basis  for  the  INFOCON  level.  [LUOl,  RA02] 

An  inorease  in  the  probability  of  an  attaek  is  refieoted  by  eaeh  level,  oulminating 
in  the  Delta  level,  whieh  requires  the  oeeurrenee  of  general  attaeks.  The  probability  of 
an  attaek  would  be  derived  from  the  oombination  of  aotual  events  and  expected  events. 
Thus,  the  probability  of  an  attack  is  one  possible,  implied  method  of  definition  for  the 
oriteria.  [LU01,RA02] 

The  severity  of  impaet  of  the  attaek  also  inoreases  with  eaeh  level,  to  the  point 
that  it  is  the  only  oriteria  for  the  Delta  level.  Though  the  impact  is  considered  the  least 
signifioant  eriterion,  it  is  still  a  oontributing  element  to  the  definition  of  the  INFOCON 
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level  eriteria.  Therefore,  another  possible,  implied  method  of  definition  for  the  eriteria  is 
the  severity  of  the  impaet  of  the  threat  or  attack.  [LUOl,  RA02] 

The  documentation  does  not  give  an  explicit  definition  nor  is  there  definitive 
evidence  that  there  is  a  definition.  The  analysis  of  the  INFOCON  level  criteria  revealed 
two  possible  implied  definitions  from  the  vague,  generalized  criteria,  which  are  the 
severity  of  the  impact  of  the  attack  and  the  probability  of  an  attack.  Therefore,  in  the 
absence  of  concrete  criteria  or  definitions,  the  probability  of  an  attack  and  the  severity  of 
the  impact  of  an  attack  are  the  implied  methods  of  definition  selected  for  the  INFOCON 
levels. 

E,  ANALYSIS  OF  EACH  INFOCON  LEVEL’S  RECOMMENDED  ACTIONS 

The  recommended  actions  include  some  ‘appropriate’  general  security  practices, 
which  are  detailed  below.  These  very  general  security  practices,  which,  if  implemented 
correctly,  can  significantly  reduce  the  risk  of  a  successful  attack  against  an  information 
system.  Good,  solid  security  practices  are  the  foundation  of  a  sound,  prevention-based, 
information  assurance  program.  The  next  several  paragraphs  detail  some  of  the 
conceptual  security  practices  as  put  forth  by  the  INFOCON  guidelines.  [RA02] 

System  administration,  including  system  security  administration,  is  always  critical 
to  securing  an  information  system.  Organizations  must  ensure  their  systems  are 
administered  by  technically  qualified  and  experienced  personnel.  These  personnel  must 
be  provided  periodic  professional  training  in  system  administration  and  security.  All 
system  administrators  (SAs)  and  system  security  administrators  (SSAs)  require  the 
necessary  tools  to  assist  them  in  effective  baseline  management,  auditing,  and  network 
intrusion  detection.  Also,  critical  to  reliable  and  secure  operations  are  configuration 
management,  proper  staffing,  and  strong  systems  security  policies.  [RA02] 

SAs  should  perform  regular  auditing  and  log  review  for  suspicious  activity. 
Logging  and  review  requirements  should  increase  as  the  INFOCON  level  increases. 
These  requirements  include  more  frequent  reviews,  analysis  of  activity  below  normal 
trigger  thresholds,  focused  string  searches,  and  the  submission  of  logs  to  a  designated 
organization  that  conducts  specialized  reviews.  [RA02] 
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Periodic  back-ups  of  files  critical  to  the  accomplishment  of  the  mission  should  be 
conducted  by  the  system  administrators.  The  storage  of  the  back-ups  should  be  isolated 
from  any  network,  as  well  as,  physically  separated  from  the  originating  facility.  A  rise  in 
the  INFOCON  level  may  warrant  an  increase  in  the  frequency  of  back-ups,  but  there  are 
no  guidelines  specified.  If  the  INFOCON  level  increases,  back-up  frequency  may 
increase  from  quarterly,  monthly,  or  weekly  to  daily  or  real-time.  [RA02] 

All  organizations  should  establish  procedures  for  conducting  internal  security 
reviews.  As  a  minimum,  an  internal  security  review  should  include;  searching  for  default 
and  weak  passwords,  conducting  vulnerability  scans,  identifying  network  access  points 
and  their  operational  importance,  raising  awareness  level  of  all  users  of  any  new 
vulnerabilities  that  are  found,  examination  of  historically  dormant  or  infrequently  used 
accounts  for  signs  of  unusual  activity,  and  a  review  of  all  pertinent  technical  advisories. 
Technical  advisories  include  the  installation  of  patches,  implementation  of  fixes,  and  the 
execution  of  preventive  or  mitigating  actions.  [RA02] 

Procedures  should  also  be  established  for  coordinating  external  vulnerability 
assessments  and  analysis  of  the  organization’s  information  systems.  Outside  agencies 
such  as  DISA,  NSA,  and  Service  CERTs/CIRTs  should  conduct  the  assessments  and 
analysis.  Network  scans,  OPSEC  surveys,  COMSEC  reviews,  and  red  team  operations 
may  be  included  is  such  assessments.  [RA02] 

Before  implementing  a  higher  action,  all  actions  required  at  the  lower  levels  must 
be  implemented.  The  appropriate  general  security  practices  that  were  just  detailed  are 
referred  to  by  the  documentation  by  two  descriptions  in  the  recommended  actions  of  the 
INEOCON  system.  The  documentation  refers  to  appropriate  response  actions  and 
appropriate  security  practices  in  different  levels  as  recommended  actions.  These  two 
descriptions  seem  to  entail  the  same  actions,  such  as  increased  level  of  auditing.  This 
thesis  will  use  the  appropriate  response  actions,  because  appropriate  security  practices 
implies  actions  done  on  a  continual  basis  not  as  a  response  to  an  indicator.  There  are 
recommended  actions  for  each  INFOCON  level.  Before  implementing  a  higher  action, 
all  actions  required  at  the  lower  levels  must  be  implemented. 
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The  recommended  actions,  unless  specifically  directed  by  Secretary  of  Defense, 
are  the  response  measures  associated  with  the  INFOCON  levels.  The  response  measures 
must  be  applied  judiciously,  otherwise  they  may  result  in  the  needless  loss  of  operational 
capability  due  to  the  unnecessary  or  overzealous  application  of  safeguards.  Such 
overwrought  reactions  might  actually  contribute  to  the  adversary’s  objectives.  Also,  the 
response  measures  directed  by  combatant  commands  will  take  precedence  over  those 
directed  by  the  Service  INFOCONs.  [RA02] 

1,  Normal 

The  Normal  level’s  recommended  actions  are  the  minimum  set  of  actions  for  all 
the  INFOCON  levels.  These  actions  correspond  to  those  required  by  any  system  that  has 
been  certified  and  accredited  through  the  DOD  Information  Technology  Security 
Certification  and  Accreditation  Process  (DITSCAP).  [BUOl,  DIOS,  DOD05] 

The  actions  at  this  level  involve  identifying  all  mission  critical  information, 
information  systems,  the  information  systems’  operational  importance,  all  points  of 
access,  and  operation  necessity  of  those  access  points.  Employing  normal  reporting 
procedures,  periodically  reviewing  and  testing  higher  INFOCON  levels,  and  conducting 
all  normal  security  practices  on  a  continuing  basis  are  also  recommended  actions  at  this 
level.  Normal  security  practices  include  conducting  education  and  training  for  users, 
administrators,  and  management,  conducting  periodic  internal  security  reviews,  external 
vulnerability  assessments,  normal  auditing,  review  of  file  back-up  procedures,  installing 
patches  for  newly  identified  vulnerabilities,  and  ensuring  that  an  effective  password 
management  program  is  in  place.  [DOD04,  RAOl,  RA02] 

2.  Alpha 

Alpha’s  recommended  actions  are  to  execute  appropriate  response  actions,  and 
employ  normal  reporting  procedures.  Also,  in  addition  to  reviewing  and  testing  the 
higher  level  INFOCON  actions,  proactive  execution  of  those  levels  should  be  considered. 
Appropriate  security  practices  at  this  level  include  increasing  the  level  of  auditing, 
reviewing  of  critical  file  back-up  procedures,  conducting  internal  security  reviews  on  all 
critical  systems,  executing  appropriate  defensive  tactics,  and  heightening  the  awareness 
of  all  information  system  users  and  administrators.  [RA02] 
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3,  Bravo 

The  Bravo  level  actions  are  to  ensure  increased  reporting  requirements  are  met, 
appropriate  security  practices  are  executed,  as  well  as  to,  review,  test,  and  consider 
proactive  execution  of  higher  level  INFOCON  actions.  Appropriate  response  actions  at 
this  level  include  increasing  the  level  of  auditing,  reviewing  critical  file  back-up 
procedures,  conducting  immediate  internal  security  review  on  all  critical  systems, 
executing  appropriate  defensive  tactics,  identifying  new  vulnerabilities,  installing 
patches,  and  disconnecting  unclassified  dial-up  connections  not  required  for  current 
operations.  [RA02] 

4,  Charlie 

The  actions  at  Charlie  level  involve  executing  appropriate  response  actions, 
ensure  increased  reporting  requirements  are  met,  as  well  as,  review,  test,  and  consider 
proactive  execution  of  higher  level  INFOCON  actions.  Appropriate  response  actions 
include  conducting  the  maximum  level  of  auditing,  reviewing  critical  file  back-up 
procedures,  giving  consideration  to  restricting  traffic  to  mission  essential  communication 
only,  reconfiguring  information  systems  to  minimize  access  points  and  increase  security, 
re-routing  mission-critical  communications  through  unaffected  systems,  executing 
appropriate  defensive  tactics,  employing  alternative  modes  of  communication, 
disseminating  new  contact  information,  and  disconnecting  all  non-mission  critical 
networks. 

5,  Delta 

At  Delta,  the  recommended  actions  are  to  ensure  increased  reporting  requirements 
are  met  and  to  execute  applicable  portions  of  the  continuity  of  operations  plan.  The 
continuity  of  operations  plan  should  include  isolating  compromised  systems  from  the  rest 
of  the  network,  designating  alternate  information  systems,  disseminating  new 
communication  procedures,  executing  procedures  for  ensuring  a  graceful  degradation  of 
information  systems,  implementing  procedures  for  conducting  operations  manually  or  in 
"stand-alone"  mode,  and  executing  other  appropriate  defensive  tactics.  [RA02] 

Appropriate  defensive  tactics  at  this  level  are  the  possible  responses  to  malicious 

activities.  Such  activities  may  be  classified  into  six  categories.  These  categories  are 

reconnaissance  or  suspicious  activity,  unauthorized  access,  denial  of  service,  data 
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browsing,  data  corruption,  and  malicious  code.  Careful  eonsideration  must  be  given  to 
the  potential  praetieal  and  legal  eonsequenees  prior  to  the  defensive  taeties  being 
exeeuted.  The  defensive  taeties  are  reaetive  responses  to  an  assessed  network  attaek. 
[RA02] 

6.  Summary 

Network  defense  should,  ideally,  be  based  on  advaneed  warning  of  a  network 
attaek  oeeurring.  The  response  measures  should  be  eommensurate  with  the  risk  and  the 
mission  requirements.  The  reeommended  aetions  as  detailed  above,  whieh  are  quite 
vague,  are  inereasingly  more  reaetive  and  less  preventive  as  the  INFOCON  levels 
esealate.  Though  not  apparent  by  the  very  general  reeommended  aetions  delineated 
above,  it  is  operationally  infeasible  for  the  entire  DOD  to  raise  the  INFOCON  level  to 
Bravo  or  above  per  the  JTF-CND.  [RA02] 


F.  ANALYSIS  OF  INFOCON  LEVELS  TO  DETERMINE  DEMARCATION 

METHOD 

Now  that  the  INFOCON  levels  have  at  least  implied  definitions,  their  demareation 
if  any,  must  be  determined.  There  is  no  explieit  demareation  method  speeified  in  the 
doeumentation.  The  eriteria  that  eonstitute  the  “eutoff ’  between  eaeh  layer  needs  to  be 
determined,  if  there  is  any.  The  question  is:  Is  there  a  eommon  “theme”  to  eaeh  layer  that 
eould  be  leveraged  when  ehoosing  the  appropriate  set  of  safeguard  teehniques  to  apply? 
The  analysis  below  will  eonsider  options  to  determine  if  there  are  implied  methods  of 
demareation. 

The  probability  of  an  attaek  at  the  lowest  level.  Normal,  is  not  signifieant.  The 
next  level.  Alpha,  indieates  an  inereased  probability  of  attaek.  Whereas,  the  Bravo  level 
indieates  the  speeifie  probability  of  attaek,  but  sueeessful  attaeks  haven’t  oeeurred  yet. 
Onee  limited  attaeks  start  to  oeeur,  an  inerease  to  INFOCON  level  Charlie  is  warranted. 
The  highest  level.  Delta,  indieates  the  highest  probability  of  attaek  beeause  of  the  aetual 
oeeurrenee  of  general  attaeks.  [RA01,RA02] 

There  are  several  methods  of  demareation  that  were  eonsidered  based  upon  the 
authors  experienee  and  edueation.  The  INFOCON  system  is  generalized  so  that  those  in 
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authority  were  not  bound  to  eoncrete  guidelines.  Each  INFOCON  level  reflects  the 
appropriate  information  operation  measures  to  be  taken  based  on  the  risk  posed  by  the 
intentional  disruption  of  DOD  systems.  The  implied  demarcation  method  is  probability 
of  an  attack  because  it  is  based  on  operational,  intelligence,  and  technical  information. 
[NA02] 

This  chapter  has  detailed  the  INFOCON  System.  The  criteria  used  to  “set”  the 
appropriate  level  were  shown  to  be  very  general,  and  without  to  any  specific  threat  or 
even  category  of  threat.  The  “appropriate  security  practices”  are  likewise  quite  general, 
as  were  the  recommended  actions.  Because  of  this,  only  implied  criteria  of  demarcation 
could  be  considered  and  analyzed.  Without  an  explicit  method  of  demarcation,  the 
analysis  needed  to  determine  the  appropriate  proactive  safeguard  responses  for  each 
INFOCON  level  will  also  be  somewhat  subjective. 
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IV.  ANALYSIS  OF  NETWORK  DEFENSE  METHODOLOGIES 


The  extent  of  the  Nation’s  eyber  vulnerability  will  never  truly  be  known,  beeause 
the  most  eostly  and  damaging  attacks  are  not  made  public.  This  information  is  generally 
not  made  public  in  order  to  preserve  the  integrity  of  public  institutions.  The  FBI 
Computer  Security  Institute’s  (CSI)  Computer  Crime  and  Security  Survey  in  2001  stated 
that  85  percent  of  the  respondents  detected  computer  security  breaches  within  the  last  12 
months.  Their  Internet  connection  was  the  most  frequent,  70  percent,  point  of  attack.  In 
2003,  the  Computer  Crime  and  Security  Survey  found  that  92  percent  of  the  respondents 
had  detected  attacks  within  the  last  12  months.  Again,  the  respondents’  Internet 
connections  were  the  point  of  attack  78  percent  of  the  time.  The  Nation’s  defense 
networks  and  computers  use  many  of  the  same  hardware  and  software  as  the  general 
public.  The  military  refers  to  these  products  as  COTS,  or  Commercial  off  the  Shelf 
products.  Thus,  the  defense  systems  are  subject  to  the  same  attacks  as  those  systems.  A 
General  Accounting  Office  (GAO)  report  released  in  2001,  indicated  that  more  than  60 
percent  of  military  computers  had  been  compromised.  [BUOl,  CO02,  CSRCOl,  CSRC03, 
NAOl,  SANS05,  SANS08,  SANSIO] 

Though  the  world  is  at  great  risk  from  cyber  attacks,  there  is  an  extraordinarily 
small  amount  research  on  building  truly  secure  systems  is  being  conducted.  Only  a  tiny 
group  of  researchers  are  exploring  long-term  solutions  to  this  problem.  The  Naval 
Postgraduate  School  Center  for  Information  Systems  Security  Studies  and  Research  (NPS 
CISR)  lead  by  Dr.  Cynthia  Irvine,  is  one  such  group.  [CI02,  NAOI] 

Unfortunately,  because  of  a  lack  of  widespread  knowledge  on  how  to  build  secure 
computer  systems,  as  well  as  the  lack  of  economic  impetus  to  build  them,  other  methods 
must  be  employed  to  secure  our  cyber  interests.  The  INFOCON  guidance  does  not 
explicitly  specify  a  defensive  methodology  that  should  be  used.  All  information 
assurance  defensive  methodologies  must  be  based  on  policies  that  are  endorsed  by 
management  and  that  are  well  written,  maintained,  and  implemented.  [CLOl,  IROl, 
NAOl] 
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A,  PERIMETER  DEFENSE 

The  perimeter  defense  model  uses  hardware  and/or  software  to  protect  a  network 
by  providing  well  protected  gateways  between  trusted  and  un-trusted  network  domains. 
It  provides  an  “outer  ring  of  protection”  for  systems  in  the  trusted  domain  so  that  they  can 
connect  to  un-trusted  domains  despite  the  presence  of  exploitable  vulnerabilities  within 
each  of  the  individual  systems.  It  is  now  common  to  see  "enclaves"  hiding  from  the 
Internet  behind  firewalls.  However,  these  enclaves  often  have  few  native/on-board 
defensive  measures  of  their  own  for  self-protection.  Most  of  the  commercially  available 
operating  systems  and  networks  available  today  only  offer  weak  defensive  mechanisms, 
therefore  they  are  vulnerable  and  difficult  to  protect.  [CSRCOl,  DE03,  DTOl,  NAOl, 
NA02,  SCOl] 

General  acceptance  of  the  perimeter  defense  model  occurred  because  it  seemed  to 
be  easier  and  less  expensive  to  secure  only  the  gateways  rather  than  the  many 
applications  and  systems  that  “sit”  behind  them.  Perimeter  defenses  can  prevent,  absorb, 
or  detect  scans,  probes,  or  malicious  attacks,  thus  reducing  the  risk  to  the  internal 
network.  The  major  risk  of  relying  solely  on  a  perimeter-style  defensive  strategy  is  that  a 
single  successful  penetration  could  compromise  the  entire  network.  [CSRCOl,  DE03, 
DTOl,  EUOl,  NAOl,  NA02,  SCOl] 

Typical  perimeter  defenses  include  technologies  like  routers,  firewalls,  and 
application  proxies.  There  are  many  possible  perimeter  defense  designs.  Eactors  that 
influence  design  include  the  degree  of  security  required  and  the  cost.  A  firewall  is 
effective  at  controlling  external  access.  It  also  can  indicate  the  amount  and  type  of  hostile 
intention  the  network  is  attracting.  [DE03,  EUOl,  SCOl,  ZEOl] 

Even  though  properly  configured  and  maintained  perimeter  defense  mechanisms 
prevent  many  types  of  malicious  access,  they  do  not  provide  protection  against  all  outside 
threats.  Through  security  flaws,  adversaries  directly  attack  user  computers  through 
email  and  web  browsing  scripting  languages.  [EUOl,  CSRCOl] 
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B,  DETECTION  METHODOLOGY 

Due  to  the  large  number  of  network  security  threats,  it  is  not  a  matter  of  whether 
malicious  activity  will  occur,  but  when  and  where.  The  Detection  Methodology  allows 
for  the  detection  of  malicious  activity.  Detection  mechanisms  identify  and  alert  on 
unauthorized  activity.  The  activity  can  be  from  an  external  or  internal  source.  This  is 
critical  to  security  for  two  reasons.  First,  if  an  unauthorized  person  is  accurately  detected 
on  a  network  it  is  possible  to  stop  them  before  than  can  do  any  damage.  Second,  even  if 
damage  is  done,  it  can  be  detected  more  quickly  and  thus  facilitate  prompt  damage 
mitigating  actions.  [CSRC02,  CSRC06,  FUOl,  INOl,  OMOl,  SANS08,  ZDOl] 

The  most  common  Detection  tool  is  an  Intrusion  Detection  System  or  IDS.  IDSs 
can  be  either  hardware-  or  software-based.  It  may  detect  security  violations  that  can  not 
be  prevented  and  documents  intrusion  attempts  to  the  organization.  Two  other  detection 
tools  are  Honey  Pots  and  Padded  Cell  Systems.  Honey  Pots  are  decoy  systems  that 
attempt  to  lure  a  malicious  person  away  from  the  real  (i.e.,  operational)  target  network. 
Padded  Cell  Systems  are  similar  to  Honey  Pots,  but  instead  of  luring  the  malicious 
person,  the  malicious  person  is  seamlessly  transferred  to  a  decoy  system  after  detection. 
[CSRC02,  CSRC06,  FUOl,  INOl,  OMOl,  SANS08] 

The  effectiveness  of  Detection  mechanisms  is  based  on  detection  accuracy  and 
performance.  The  accuracy  of  detection  is  determined  by  the  methodology  employed. 
Performance  is  the  mechanism’s  ability  to  reliably  inspect  all  the  traffic  crossing  the 
network.  Most  Detection  mechanisms  have  several  limitations.  They  do  not  scale  well. 
They  create  a  large  number  of  false  positives  and  an  incredibly  large  volume  of 
information.  The  automated  systems  are  not  usually  effective  against  sophisticated 
adversaries.  Finally,  these  mechanisms  are  not  well  protected  from  malicious  activity 
themselves.  [CSRC02,  FUOl,  INOl,  OMOl,  PROl] 

C.  ENCRYPTION 

Encryption  is  the  process  of  converting  data  into  a  form  that  is  unreadable  by 
anyone  except  the  intended  recipient.  Encryption  mechanisms  can  secure  data  on 

systems,  as  well  as  data  that  is  in  transit  between  systems  or  networks.  Data  integrity, 

27 


authentication,  confidentiality,  and  authorization  mechanisms  all  employ  encryption  to 
secure  a  system  or  network.  [DI02,  FUO 1 ,  HAO 1 ,  SEO 1 ,  SSO 1  ] 

Tools  that  use  encryption  include  Virtual  Private  Networks  (VPNs)  and  digital 
signatures.  A  VPN  is  comprised  of  two  or  more  remote  locations  that  use  encrypted 
tunnels  to  create  a  “private”  channel  over  a  public  network.  Digital  signatures  use  public 
key  encryption  techniques  to  ensure  that  a  document  is  authentic  and  has  not  been 
modified.  [FUO  1 ,  HAO  1 ,  SEO  1 ,  SSO  1 ,  WAO 1  ] 

Encryption  frequently  impacts  performance  because  of  the  time  needed  to  encrypt 
and  decrypt  the  data.  Key  management  can  be  the  weakness  of  encryption,  because  users 
are  unwilling  or  unable  to  manage  encryption  keys  in  a  secure,  diligent  manner. 
Encryption  is  an  excellent  defensive  methodology,  but  it  is  not  an  end-all  solution  to 
security.  [DAO  1 ,  FUO  1 ,  HAO  1 ,  SEO  1  ] 


D,  PHYSICAL  SECURITY 

Not  everyone  considers  physical  security  as  a  network  defense  methodology. 
However,  unauthorized  physical  access  to  facilities  defeats  most  of  the  more  technical 
security  measures  of  systems  and  networks.  Therefore,  it  must  be  a  primary  network 
defense  methodology.  Physical  security  restricts  physical  access  to  information 
resources.  It  can  be  as  simple  as  a  locked  door  and  as  complex  as  money  and  technology 
will  allow.  [CEOl,  FUOl,  SANS06,  SANS  11] 

E.  DEFENSE  IN  DEPTH  METHODOLOGY 

The  DOD  leads  the  way  in  defining  the  Defense  in  Depth  (DID)  methodology  to 
achieve  network  security  in  an  untrusted  environment.  This  methodology  can  be  applied 
to  any  information  system  or  network.  The  DID  methodology  integrates  people, 
operations,  and  technology  to  establish  multiple  layers  and  dimensions  of  defense 
mechanisms  across  an  information  infrastructure.  Multiple  layers  help  to  ensure  that 
vulnerabilities  in  one  layer  will  be  covered  by  the  other  layers.  Each  layer  and  its 
associated  technologies  complement  the  protection  provided  by  the  other  layers  and 
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technologies.  Thus,  DID  is  essentially  a  combination  of  all  of  the  methodologies 
previously  discussed,  in  addition  to  lesser  defense  tools/concepts/implementations  that 
are  not  major  “methodologies”,  but  nonetheless  can  contribute  to  the  DID  strategy.  A  key 
point  to  DID  is  that  it  employs  multiple  tools  of  the  same  type,  such  as  more  than  one 
IDS;  and  more  than  one  technology,  such  as  the  application  of  filtering  in  addition  to  an 
IDS.  [ASOI,  CNOI,  CSRCOI,  FUOI,  HAOI,  NA02,  NA04,  NEOI,  NE02,  SANS04, 
SANS07,  SANS09,  SY02] 

There  are  many  possible  tools  that  can  be  used  in  a  DID  protection  strategy.  The 
DMZ  is  one  tool  that  hasn’t  been  previously  discussed.  It  is  the  perimeter  network 
segment  that  is  logically  between  internal  and  external  networks  that  is  also  known  as  a 
screened  subnet.  It  provides  un- trusted,  external  subjects  with  restricted  access  to  specific 
applications  and  services.  [ASOI,  CNOI,  EUOI,  HAOI,  NA02,  NEOI,  NE02,  SANS07] 


DMZ 


Eigure  7.  Illustration  of  DID  with  DMZ. 

Mechanisms  employed  to  provide  DID  allow  one  type  of  protection  to  fail 
without  compromising  the  entire  defensive  infrastructure.  This  assumes  the  different 
mechanisms  of  defense  do  not  share  vulnerabilities.  Because  of  the  variety  and  number 
of  attack  methods  and  attackers,  the  DID  methodology  reduces  the  risk  of  successful 
attacks  by  employing  many  methods  of  defense  each  addressing  different  kinds  of  attacks 
and  attackers.  [ASOI,  EUOI,  HAOI,  NA02,  NA04,  NEOI,  SANS04,  SANS07] 
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F.  SUMMARY 

Information  assurance  can  not  be  accomplished  by  a  single  security  mechanism  or 
technology.  The  methodology  that  gives  the  greatest  coverage  and  reduction  in  risk  is 
the  Defense  in  Depth  methodology.  [FUOl,  HAOl,  HA02] 

Of  ah  of  the  methodologies  presented,  none  have  a  pre-defmed  directed  approach 
to  their  design  or  implementation.  Ah  of  the  methodologies  are  ad-hoc  and  conducive  to 
escalation,  but  none  have  any  formal  escalation  process.  Some  of  the  mechanisms 
presented  are  conducive  to  a  predefined  escalation  process.  This  process  could  be 
another  dimension  in  the  DID  methodology,  by  incrementally  increasing  the  defensive 
technologies.  A  predehned  escalation  process  would  enhance  the  ability  of  the  DOD  to 
attain  the  goals  of  the  INFOCON  system. 


30 


V.  RECOMMENDATIONS 


There  is  only  one  goal  of  the  INFOCON  system.  It  is  to  protect  DOD  systems 
while  still  supporting  accomplishment  of  the  systems’  mission.  A  subordinate  goal  is  to 
coordinate  the  overall  defensive  effort  of  the  DOD  through  adherence  to  standards. 
These  goals  will  not  be  realized  if  the  system  is  inadequate,  over  reactive,  or  difficult  to 
use.  In  support  of  these  goals  the  DOD  instituted  the  directive  for  the  DOD  Information 
Technology  Security  Certification  and  Accreditation  Process  or  DITSCAP.  This 
directive  and  those  that  implement  it,  require  all  DOD  systems  to  be  certified  and  have 
established  a  baseline  level  of  I  A.  The  existing  INFOCON  has  no  correlation  or 
integration  with  the  DITSCAP.  [BUOl,  DODOS,  DOD05,  DOD06,  RA02] 

The  existing  INFOCON  system  was  written  by  policy  makers,  not  by  technical 
people.  The  ambiguity  of  the  criteria  of  each  level  and  the  reactive  nature  of  the 
recommended  actions  are  the  result.  The  previous  chapter  was  a  detailed  analysis  of  that 
system.  This  chapter  will  detail  the  evolution  of  the  INFOCON  system  using  a  technical 
perspective.  In  addition  to  the  existing  INFOCON  goals,  the  recommended  system  will 
endeavor  to  seamlessly  integrate  itself  into  DOD  lA  community  procedures. 


A,  LEVELS 

There  are  many  things  to  be  taken  into  consideration  when  creating  a  warning 
system.  The  primary  consideration  is  for  whom  the  warning  system  is  being  developed. 
Since  the  goal  of  the  INFOCON  system  is  to  protect  DOD  systems,  this  warning  system 
is  designed  for  use  by  those  whose  jobs  are  to  do  just  that. 

1.  Demarcation  Method 

The  demarcation  method  is  based  on  limiting  the  external  exposure  of  the 
information  infrastructure.  This  will  be  done  by  basing  the  exposure  on  the  Mission 
Assurance  Categories  (MAC)  from  the  DITSCAP.  The  MAC  represents  the  amount  of 
integrity  and  availability  required  for  a  system  and  has  three  levels.  MAC  III  is  the 
lowest  level  and  it  covers  systems  that  handle  day  to  day  business,  but  don’t  materially 
affect  support  of  forces  in  the  short  term.  It  requires  only  basic  integrity  and 
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availability.  13  Systems  that  are  important  to  support  forees  are  eovered  by  MAC  II, 
whieh  requires  high  integrity  and  medium  availability.  The  highest  level,  MAC  I,  eovers 
systems  that  are  vital  to  the  operational  readiness  or  mission  effeetiveness  of  the  forees 
both  in  terms  of  eontent  and  timeliness.  It  requires  both  high  integrity  and  high 
availability.  [BUOl,  DODOS,  DOD05,  DOD06] 

2,  Number  of  Levels 

The  logical  demarcation  of  the  levels  would  be  the  primary  determination  of  the 
number  of  levels.  A  secondary  influence  is  the  granularity  that  would  provide  the  most 
efficient  management.  If  there  are  too  many  levels  the  system  administrators  will  be 
overwhelmed.  Too  few  levels  will  result  in  insufficient  granularity  to  address  the  threat 
or  subsequent  risk.  For  these  reasons,  the  number  of  levels  selected  is  four.  The  lowest 
level  actually  encompasses  the  two  lowest  levels  of  the  existing  INFOCON. 

3,  Description 

The  description  of  a  level  could  be  by  color,  by  name,  or  by  some  well-known, 
pre-ordered  sequence  (e.g.,  the  Greek  alphabet;  Alpha,  Beta,  Gamma,  etc.)  or  any 
combination  of  these.  Using  names  that  are  borrowed  from  an  ordered  sequence  is 
naturally  intuitive  to  remember;  and  the  additional  association  of  a  color  with  each  name 
accommodates  easy  visual  recognition  in  certain  environments. 

For  the  four  levels  chosen  there  will  be  a  descriptive  name  and  a  color.  The  color 
will  allow  quick,  visual  confirmation  with  other  warning  systems.  The  names  are  based 
upon  limiting  the  exposure  of  the  systems  that  accomplish  the  mission.  These  are  shown 
in  Figure  8. 


13  Please  see  http://www.nstisse.gov/Assets/pdf/4QQ9.pdf  (February  2QQ4)  for  definitions  of  integrity 
and  availability. 
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IINFOCOIN 


Figure  8.  INFOCON  Levels 

All  of  the  DOD  networks  are  required  to  use  the  DID  methodology.  Therefore  it 
is  an  assumption  that  all  networks  using  the  INFOCON  will  be  fully  hardened  using  the 
DID  methodology.  The  Normal  level  represents  the  norm  in  which  all  systems  can 
conduct  business.  The  restriction  of  access  to  MAC  III  systems,  which  would  be  the 
necessary  non-mission  critical  systems,  is  the  Necessary  level.  The  consequences  of  the 
loss  of  availability  and  integrity  can  be  tolerated  or  overcome.  The  Critical  level 
represents  the  restriction  of  access  to,  but  not  complete  isolation  of,  MAC  II  systems, 
which  are  mission  critical  systems  that  are  important  to  support  forces,  and  the  complete 
blockage  of  MAC  III  systems.  The  critical  consequences  of  the  loss  of  integrity  are 
unacceptable  and  the  loss  of  availability  can  only  be  tolerated  for  a  short  time.  The 
restriction  of  access  to  MAC  I  systems  and  the  complete  blockage  of  all  other  systems  is 
the  Grave  level.  The  grave  consequences  of  the  loss  of  integrity  or  availability  are 
unacceptable.  By  limiting  the  exposure  of  systems  in  an  incremental  manner,  each  level 
makes  the  network  more  secure.  [BUOl,  DODOS,  DOD05,  DOD06] 

4,  Criteria 

As  with  the  existing  INFOCON  system,  a  sufficient  increase  in  threat  level  will 
warrant  an  increase  to  a  corresponding  protection  level  in  this  chapter’s  new 
recommended  INFOCON  level.  There  will  be  two  categories  of  criteria  in  this  newly 
proposed  INFOCON  system.  One  category  will  define  the  criteria  used  by  the  JTF-CNO 
to  select  the  appropriate  INFOCON  level  for  the  entire  DOD. The  other  will  be  for  all  of 
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the  entities  under  the  DOD,  which  will  be  referred  to  from  this  point  on  as  components. 
This  separation  will  give  DOD  components  a  more  standardized  set  of  criteria  and 
processes  to  follow.  It  will  also  allow  the  JTF-CNO  to  know  how  the  components  will 
respond.  Both  categories  of  criteria  will  be  directly  influenced  by  the  SANS  INFOCON, 
FPCON,  DEFCON,  WATCHCON,  and  CNA-WATCHCON  warning  systems. 
[SANSOO] 

a)  JTF-CNO  DOD  Criteria 

The  JTF-CNO  DOD  criteria  will  be  based  upon  the  correlation  of 
indicators  from  warning  systems,  reports  from  the  commands,  and  the  risk  to  the  overall 
system.  This  correlation  will  be  understandably  subjective  because  of  the  nature  of  the 
stored  information,  the  massive  size  and  complexity  of  the  network,  and  the  impact  to  the 
DOD’s  ability  to  complete  its  mission. 

By  correlating  the  indicators  from  the  other  warning  systems,  it 
will  give  the  JTF-CNO  the  ability  to  take  into  account  threat  indications  from  other 
arenas,  such  as  intelligence  and  technical.  The  SANS  INFOCON  addresses  the  threats 
of  malicious  network  activity  and  loss  of  connectivity,  which  affects  the  DOD  just  like 
everyone  else.  Correlating  the  FPCON  addresses  the  terrorist  threat  to  information 
systems  and  the  Internet  infrastructure.  The  DEFCON  addresses  the  threats  to  military 
operations,  which  may  require  the  information  infrastructure  to  keep  our  war-fighters 
safe.  The  WATCHCON  and  the  CNA-WATCHON  address  not  only  the  state  sponsored 
hacker  threat,  but  also  the  rogue  political  group  threat  to  the  information  systems. 

Threat  and  incident  reports  from  individual  DOD  components  will 
also  be  correlated.  These  reports  will  indicate  the  overall  condition  of  the  DOD 
information  infrastructure.  Other  reports  contributing  to  the  overall  threat  picture  will 
contain  information  regarding  planned  and  ongoing  military  operations;  thus 
incorporating  additional  aspects  pertaining  to  the  condition  and  demands  on  the 
information  infrastructure. 

Finally,  the  risk  to  the  DOD  information  infrastructure  will  be 
assessed.  This  criterion  will  actually  be  a  composite  of  all  of  the  other  criteria  and  any 

additional  information  not  addressed  here.  The  risk  to  the  information  infrastructure 
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must  be  weighed  against  the  need  to  aeeomplish  the  mission.  This  is  an  extremely 
diffieult  and  subjeetive  criterion,  because  of  those  concerns. 

b)  Component  Criteria 

Components  will  have  their  own  sets  of  indicators,  and  their 
responses  to  these,  within  the  general  DOD  framework.  The  component  criteria  will  be 
based  upon  indicators  from  warning  systems,  operations  planned  or  ongoing,  technical 
indicators,  and  the  risk  to  their  systems.  The  operations  planned  or  ongoing  for  each 
component  will  be  different  and  thus  only  addressable  by  that  component.  The  risk  is 
unique  to  each  component,  because  each  component’s  information  will  be  valued 
differently  and  their  systems  make  up  may  be  different.  Therefore,  each  component  will 
address  these  criteria  differently. 

By  correlating  the  indicators  from  the  other  warning  systems,  each 
of  the  recommended  INFOCON  levels  will  have  a  corresponding  “threat”.  The  SANS 
INFOCON  would  map  level  to  level,  thereby  addressing  the  threats  of  malicious  network 
activity  and  loss  of  connectivity.  The  other  warning  systems  each  have  five  levels,  so  the 
first  two  levels  of  each  of  those  systems  will  correspond  to  the  lowest  INFOCON  level. 

Mapping  the  FPCON  levels  to  the  INFOCON  levels  addresses  the 
terrorist  threat  to  information  systems.  The  DEFCON  represents  the  major  military 
operations  planned  or  ongoing,  and  so  it  addresses  the  threats  to  those  operations,  as 
would  the  WATCHCON.  The  CNA-WATCHON  addresses  not  only  the  state  sponsored 
hacker  threat,  but  also  the  rogue  political  group  threat  to  the  information  systems. 

The  technical  indicators  address  the  hacker/network  threat.  Some 
of  the  technical  indicators  will  also  be  contained  within  the  SANS  INFOCON.  Network 
surveillance  activities  (i.e.,  scanning  and  mapping)  are  the  technical  indicators  for  the 
level  Normal.  The  technical  indicators  for  the  Necessary  level  are  network  probes  or 
activities  indicating  concentrated,  intrusive,  reconnaissance  activities  (i.e.,  network 
enumeration).  A  network  attack,  whether  it  is  successful  or  not,  is  the  technical  indicator 
for  the  Critical  INFOCON  level.  The  technical  indicator  for  the  Grave  level  is  a 
successful  network  attack  that  attempts  to  gain  access  to  trusted  systems  (i.e.,  pilfering). 
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5,  Roles  and  Responsibilities 

The  JTF-CNO  will  coordinate  and  assess  all  incoming  reports.  It  will  correlate 
indications  from  the  JTF-CNO  DOD  criteria  and  decide  the  state  of  the  DOD  information 
infrastructure.  The  JTF-CNO  will  be  responsible  for  dispersing  information  to  the 
components  via  the  INFOCON  level. 

SAs  and  SSAs  will  be  responsible  for  gathering  technical  indicators  and  the 
warning  system  levels.  These  would  include  the  DOD  INFOCON  level,  the  SANS 
INFOCON  level,  the  DOD  FPCON  level,  the  DEFCON  level,  and,  if  possible,  the 
WATCHCON  and  CNA-WATCHCON  levels.  This  information,  along  with  the 
recommendation  of  the  SA  or  SSA  for  the  command’s  INFOCON,  will  be  presented  to 
the  Commanding  Officer. 

Commanding  Officers,  COs,  are  the  final  authority  on  their  command’s 
INFOCON  level.  They  must  be  able  to  understand  the  information  and  recommendations 
presented  by  the  SAs/SSAs.  The  COs  must  correlate  it  with  knowledge  of  their 
commands’  mission,  and  any  other  information  relevant  to  the  situation,  (i.e.,  a  classified 
WATCHCON  in  effect). 

B.  SAFEGUARD  MEASURES 

The  safeguard  measures  are  in  addition  to  sound  general  security  practices,  such 
as  those  detailed  by  the  NSA.14  The  safeguard  measures,  as  part  of  a  DID 
implementation,  will  protect  DOD  systems  and  networks.  It  is  assumed  that  all  DOD 
components  employ  the  DID  methodology.  Though  it  is  still  a  draft,  it  is  also  assumed 
that  the  Ports,  Protocols,  and  Services  Management  (PPSM)  DOD  instruction  is  being 
applied.  The  details  of  what  ports  and  protocols  to  block  for  PPSM  are  classified.  The 
guiding  principle  of  denying  all  access  except  that  necessary  to  conduct  official 
“command”  business  must  be  followed.  [DODOS] 


14  Please  see  http://www.issa-utah.org/pdf/sd-7.pdf  (February  2004)  for  “The  60  Minute  Network 
Seeurity  Guide” 
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Application  of  the  least  privilege  prineiple  in  this  manner  is  known  as  Deny  by 
Default,  and  is  the  primary  perimeter  defense  strategy.  The  perimeter  is  the  principal 
method  of  limiting  exposure  and  is  the  boundary  between  a  component’s  network  and  all 
other  outside  networks  to  which  it  may  be  connected.  At  the  Normal  level  this  boundary 
has  gates  that  are  open  to  allow  eommerce  and  oommunieation  to  flow  freely.  The 
boundary  stiffens  and  the  gates  limit  the  traffic  between  the  component  and  the  Internet  at 
the  Necessary  level.  At  the  Critieal  level,  the  gates  limit  the  traffic  to  only  that  to  and 
from  the  mil  domain.  Since  this  reeommended  INFOCON  behavior  is  for  the  DOD 
alone,  this  is  a  feasible  strategy.  All  traffie  be  must  pass  the  gates  via  an  encrypted  tunnel 
at  the  Grave  level. 

However,  the  component  at  the  other  end  of  the  tunnel  may  not  be  at  the  same 
INFOCON  level  and  therefore  not  be  following  the  same  policies  and  procedures.  If  that 
eomponent  is  at  a  lower  INFOCON  level,  this  may  expose  the  higher  INFOCON  level 
component.  Unfortunately,  if  each  component  necessarily  raised  itself  to  the  highest 
level  of  any  other  eomponent  it  communicated  with,  there  would  be  a  eascade  effeet  that, 
given  suffieient  time  and  communieation,  could  eventually  encompass  the  entire  DOD. 
So  this  exposure  is  inescapable  beeause  it  is  not  feasible  to  make  the  entire  DOD  respond 
to  such  an  event. 

Most  of  the  existing  INFOCON  recommended  actions  are  general  policies  in  the 
DOD.  These  are  still  pertinent  and  can  be  found  in  Appendix  F.  [RA02] 

The  suggested  safeguard  measures  are  teehnieal  aetions  and  are  detailed  in  Table 
1 .  The  measures  take  into  account  that  communication  within  the  DOD  must  always  be 
available.  The  myriad  of  possible  network  topologies  and  DID  implementations  make  it 
impossible  to  create  a  fixed  set  of  safeguard  measures  that  are  appropriate  for  in  every 
instance.  Instead,  the  safeguard  measures  elaborated  upon  here  will  be  for  a  prototypieal 
network  and  the  commonly  supported  network  services  found  on  it.  It  is  also  assumed 
that  existing  reporting  proeedures  will  be  utilized.  [DODOS,  DOD07,  DODOS] 
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Area/Tools 

Normal 

Necessary 

Critical 

Grave 

Perimeter 

_ 

All 

Install  latest  patches, 

Updates 

- 

Gateway 

Router 

Deny  by  Default 

Deny  by  Default; 
Allow  port  80 

Deny  by  Default; 

Allow  port  80 

Block  all  ports 
except  VPN 

Don't  allow  untrusted 
addresses  to  port  53 

Disable  any  unused 
interfaces  and  mgmt  ports 

Block  certain  ICMP  (allow 
obd  Echo)(allow  inbd  Echo 
Reply,  Dest  Unreachable) 

Block  all  ICMP 

Block  inbound  traceroute 

Log  each  stmt  blocked  by 
filters 

Logging  is  at  lowest  level. 
(Cisco=Errors)  Logs  sent  to 
SysLog  server. 

Set  logging  to 
one  level  below 
medium. 

(Cisco=Warnings) 

Set  logging  to 
medium  level.  Log 
all  traffic. 

(Cisco=Notifications) 

The  Highest/most 
serious  level  of 
logging.  Send  logs 
to  dedicated 
printer. 

(Cisco=lnformation) 

Block  inbound  IPs  from 
protected  network,  local 
host,  or  multicast  addresses 

Block  outbound  IPS  that 
have  external  IP  as  source 

IP,  Block  packets  with  same 
src/dest.  IP  and  port. 

Restrict  access  to  small  set 
of  computers  telnet  access 
to  internal  interfaces.  Log  all 
connections. 

Disallow  telnet 
access  to  the 
router. 

Restrict  access  to  small  set 
of  computers  SSH  access 
only.  Log  ail  connections 

Disallow  external 

SSH  access  to  the 
router 

Sample  two  reliable  NTP 
servers  for  time 

Set  all  log  messages  to  the 
same  IP  source  address  of 
an  internal  network  interface 

Firewall 

Deny  by  Default 

Deny  by 

Defauit;Allow  port 
80 

Deny  by  Default; 

Allow  port  80 

Block  all  ports 
except  VPN 

Log  each  stmt  blocked  by 
filters 
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Logging  is  at  lowest  level. 
(Cisco=Errors)  Logs  sent  to 
SysLog  server. 

Set  logging  to 
one  level  below 
medium. 

(Cisco=Warnings) 

Set  logging  to 
medium  level.  Log 
all  traffic. 

(Cisco=Notifications) 

The  Highest/most 
serious  level  of 
logging.  Send  logs 
to  dedicated 
printer. 

(Cisco=lnformation) 

Mgd  Switch 

Deny  by  Default 

Deny  by  Default; 
Allow  port  80 

Deny  by  Default; 

Allow  port  80 

Block  all  ports 
except  VPN 

Deny  Voice  over  IP 

Isolate  critical  systems  on 
their  own  vlan 

Restrict  access  to 
critical  vlans 

Logging  is  at  lowest  level. 
(Cisco=Errors)  Logs  sent  to 
SysLog  server. 

Set  logging  to 
one  level  below 
medium. 

(Clsco=Warnlngs) 

Set  logging  to 
medium  level.  Log 
all  traffic. 

(Cisco=Notificatlons) 

The  Highest/most 
serious  level  of 
logging.  Send  logs 
to  dedicated 
printer. 

(Cisco=lnformation) 

Log  each  stmt  blocked  by 
filters 

Log  all  traffic  to 
critical  vlans 

Password  protect  all 

Interfaces  and  mgmt  ports 

Sample  two  reliable  NTP 
servers  for  time 

Detection 

All 

Install  latest  patches, 

Updates 

Scanner 

Externally  Port  Scan 
network  2/month 

Externally  Port 
Scan  network 
1/week 

Externally  Port  Scan 
network  daily 

Externally  Confirm 
VPN,  NTP  ports 
visible 

Pwd  Cracker 

Run  2/month 

Run  weekly 

Run  daily 

Syslog 

Disable  unnecessary 
servers  and  accounts  on  log 
host. 

Audit  weekly 

send  Email  alerts 
to  SA;  Audit 

2/week 

Audit  logs  daily 

Audit  logs  twice  a 
day 

IDS 

Monitor  TCP/IP,  UDP  traffic 
from  gateway  rtr; 

Monitor  all  traffic 
gateway  rtr 

Monitor  all  traffic 
firewall 

Enable  the  fastest  alert 
mode 

Enable  the  full 
alert  mode 

Virus 

Scanners 

Run  daily  on  all  computers 

Run  2/day 

Services 

All 

Install  latest  patches. 

Updates 

Shutdown  unnecessary 
services 

Each  service  is  on  a 
dedicated  host. 
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Web 

Remove  all  unnecessary 
services  on  web  server  host 

Block  access  to 
Internet  Mail 

Put  up  static  content 
web  site 

Stop  web  service 

Isolate  the  web  server 
physically  and  virtually 

Separate  content  into 
separate  directories 

Make  all  non 
executable 
directories  read 
only 

Make  all  content 
read  only,  not 
executable 

Enable  web  site  logging. 

Audit  weekly. 

Audit  daily 

Audit  system  binaries 

2/month 

Audit  system 
binaries  weekly 

Audit  system 
binaries  daily 

Remove  all  samples 
installed 

FTP 

Only  allow  if  necessary  for 
the  misstion.  Anonymous 
FTP  allowed. 

Require 

Authentication  to 
FTP  server. 

Disable 

Anonymous  FTP. 

Disallow  writes  to 
public  directories  via 
FTP 

Stop  FTP  Service 

SNMP 

Don't  use  std  community 
strings,  restrict  access  to 
SNMP  server 

Allow  read  only 
access. 

Log  all  access. 

Disable  all  SNMP 

servers 

DNS 

Disable  the  BIND  name 
daemon  on  non-DNS 
servers. 

Enable  logging.  Audit 
weekly 

Audit  2/week 

Audit  daily 

DHCP 

Enable  logging.  Audit 
weekly 

Audit  2/week 

Audit  daily 

PDC  /  Active 
Directory 

Log  all  unsuccessful  login 
attempts;  Log  every  action 
by  root  account. 

Log  all  login 
attempts;  log 
attempts  by 
unprivileged 
users  to 
administrative 
actions 

Printers 

Block  all  external  access 

Dial  in 

access 

Authenticate  using  network 
login 

Restrict  access  to 
auth  numbers 

Block  access 

Number  isn't  in  the  grouping 
of  the  org 

Don't  publish  the  number 

Applications 

All 

Install  latest  patches, 

Updates 

Enable  App  logging  at 
lowest  level 

Enable  App 
logging  at 
medium  level 

Enable  App  logging 
at  highest/most 
serious  level 
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Email 

Don't  open  attachments 
unless  trusted  source 

Encrypt  all  email 
to  non  .gov  and 
.mil  sites. 

Allow  email  to  and 
from  .mil  only  and 
require  digital 
signatures 

Encrypted  email  to 
.mil  only 

Block  .bas,  .bat,  .chm,  .com, 
.cpI,  .crt,  .exe,  .hta,  .Inf,  .ins, 
.isp,  .js,  .jse,  .Ink,  .msi, 

.msp,  .mst,  .pif,  .pi,  .reg, 

.scr,  .set,  .shs,  .uri,  .vb, 

.vbe,  .ws,  .wsc,  .wsf,  .wsh 
attachments 

Block  all 

Microsoft  Office 
attachments. 

Block  all 
attachments. 

FTP 

Disable  unless  necessary 

Disable  external 

access 

Disable 

TELNET 

Disable  external  access. 
Disable  internal  use  unless 
necessary 

Disable 

r  cmds 

Disable  external  access. 
Disable  internal  use  unless 
necessary 

Disable  internal 

access 

Disable 

SSH 

External  allowed 
to  gov't  &  mil 
sites 

External  allowed  to 
mil  sites 

Internal  access 
only 

SendMail 

Don't  display  the  version 
number. 

Disable  external 
access 

Disable 

Decode  alias  isn't  available 

VPN 

Available  for  telecommuting 

Restrict  external 

VPN  access 

Only  access 
allowed  through  the 
perimeter 

Backup 

Complete  backup  weekly. 
Incremental  or  differential 
backups  in  between 

Complete  backup 
twice  weekly, 
incremental  or 
differential 
backups  in 
between 

Complete  backups 
daily 

Databases 

Disable  external  access 
unless  necessary 

Restrict  external 
access  to  critical 
databases 

Restrict  access  to 
critical  databases 

Operating 

Systems 

Enable  logging.  Audit 
weekly 

Audit  2/week 

Audit  daily 

Table  1.  Suggested  INFOCON  Safeguard  iV 

easures. 

C.  SUMMARY 

The  evolution  of  the  INFOCON  is  based  upon  the  analysis  of  the  existing 
INFOCON,  polieies  and  goals  of  the  DOD,  and  a  desire  to  detail  a  system  that  is  useful 
and  standardized.  The  suggested  INFOCON  has  four  levels  that  are  demareated  by  the 
amount  of  exposure  of  its  systems  based  upon  the  mission  assurance  categories  of  the 
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DITSCAP.  It  has  two  categories  of  eriteria  to  determine  the  INFOCON  level,  one  to  be 
used  by  the  JTF-CNO  to  determine  the  DOD  INFOCON  level  and  the  other  to  be  used  by 
the  DOD  eomponents.  This  allows  standardization  of  the  eriteria  for  the  DOD 
eomponents.  It  also  lessens  the  subjeetivity  of  the  deeision  proeess  by  giving  guidanee  on 
teehnieal  threats  and  direet  eorrelation  of  the  other  warning  systems. 

The  suggested  INFOCON  proteets  the  DOD  information  infrastrueture  by 
employing  proaetive  and  preventive  aetions  that  ean  inerementally  inerease  its  seeurity 
posture,  while  still  allowing  for  mission  aeeomplishment.  By  not  focusing  on  the 
potential  or  existing  threats  and  instead  foeusing  on  a  proaetive  defense-in-depth 
proteetion  strategy,  the  suggested  INFOCON  attempts  to  lessen  risk  by  greatly  redueing 
the  exposure  of  vulnerable  systems.  This  also  makes  the  information  infrastrueture  more 
seeure  against  both  known  and  unknown  threats. 

Eaeh  area  of  defense  has  deviees  or  serviees  assoeiated  with  it.  These  ean  be 
used  to  eounter  eertain  explieit  and  implieit  threats  for  eaeh  of  the  suggested  INFOCON 
levels.  Some  of  these  devices/serviees  are  good  eandidates  for  implementing  predefined 
seeurity  esealation  seripts.  These  eandidates  must  also  meet  other  eonsiderations  before 
they  ean  be  seleeted  as  the  prototype  deviees/serviees  to  run  the  predefined  security 
escalation  scripts. 

A  primary  consideration  for  sueh  deviees  and  serviees  is  the  ability  to  manage 
that  deviee  or  serviee  from  one  loeation  using  a  seript.  This  would  allow  one  SA  or  SSA 
to  seeurely  esealate  the  seeurity  of  the  entire  network  from  one  loeation.  The  use  of  a 
simple  command  line  interfaee  to  run  the  escalation  scripts  is  more  secure  and  would  not 
require  the  certifieation  and  aecreditation  that  a  GUI  interface  would  require. 

Another  eonsideration  is  the  seeurity  relevaney  of  the  deviee  or  serviee  to  the 
seeurity  of  the  network.  The  serviee  or  deviee  should  be  a  key  part  of  the  seeurity  of  the 
network. 

A  third  eonsideration  is  the  probability  that  the  deviee  or  serviee  is  ineluded  in 
most  DOD  networks.  The  make,  model,  or  version  of  the  deviee  or  serviee  is  not  part  of 
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this  consideration.  Just  that  the  general  category  of  deviee  or  serviee,  sueh  as  a  gateway 
router,  should  be  ineluded  in  most  DOD  networks. 

Two  deviees  and  a  serviee  that  are  likely  to  be  in  most  DOD  networks  are  a 
gateway  router,  a  managed  switeh,  and  a  Syslog  server.  Deviees  sueh  as  a  gateway  router 
and  managed  switehes  could  have  security  escalation  scripts  written  for  them  that  could 
be  invoked  from  a  single/eentral  security  administrator’s  machine.  Syslog  is  a  service 
that  the  devices  report  to.  The  information  that  is  sent  to  the  Syslog  server  ean  be 
escalated.  So  the  esealation  for  the  Syslog  server  is  the  esealation  in  the 
volume/granularity  of  information  it  eolleets. 

A  gateway  router  is  the  first  deviee  or  tool  on  a  network  that  ean  filter  and 
re-route  data,  so  it  is  very  relevant  to  the  seeurity  of  the  network.  Managed 
switehes  also  filter  and  re-route  data,  but  they  ean  also  isolate  segments  of  the 
network,  whieh  is  network  seeurity  relevant.  The  Syslog  server  is  the  eentral 
eolleetion  point  for  seeurity  relevant  events  reeeived  from  routing/switehing 
deviees,  other  deteetion  tools,  and  various  potential  target  serviees  on  the 
proteeted  network. 

Eaeh  of  these  meehanisms  proteets  against  different  types  of  threats.  They  also 
meet  the  three  eonsiderations  diseussed.  For  these  reasons,  a  gateway  router,  a  managed 
switeh  and  a  Syslog  server  were  seleeted  as  the  prototype  safeguard  meehanisms. 
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VI.  SAFEGUARD  MEASURES  SCRIPTS 


By  focusing  on  a  defense  in  depth  proaetive  proteetion  strategy,  the  suggested 
INFOCON  proteets  the  DOD  information  infrastrueture  by  proaetive  and  preventive 
teehniques  that  enable  the  aeeomplishment  of  the  mission.  Some  of  the  deviees  and  tools 
employed  in  this  strategy  are  good  eandidates  for  implementing  predefined  seeurity 
esealation  seripts.  A  gateway  router,  a  managed  switeh,  and  a  Syslog  server  were 
seleeted  as  the  prototype  deviees  and  tool  to  run  these  esealation  seripts  to  demonstrate 
these  eoneepts. 

This  ehapter  will  detail  the  design  eonsiderations,  the  strueture  of  the  seripts,  the 
seripts  themselves,  and  the  deviees  and  tool  utilized.  The  network,  on  whieh  the 
prototype  seripts  will  be  run,  will  be  deseribed,  as  well  as  the  eonsiderations  of  that 
network.  Finally,  generalizations  derived  from  this  prototype  will  be  presented. 

A,  SCRIPT  CONSIDERATIONS 

There  were  several  eonsiderations  used  in  regards  to  the  design,  development,  and 
implementation  of  the  esealation  seripts.  The  first  eonsideration  was  whether  to  manage 
the  deviee  seripts  in  a  distributed  manner  or  to  eentrally  manage  the  seripts.  The  deviee 
seripts  would  be  ealled  by  a  single,  main  seript  that  would  be  loeated  on  the 
administrator’s  maehine. 

It  is  easier  to  maintain  and  update  seripts  when  they  are  in  one  loeation  rather 
than  spread  aeross  an  entire  network.  However,  if  that  loeation  beeomes  eompromised 
than  all  of  those  seripts  are  suspeet.  That  may  mean  the  perimeter  has  already  been 
breaehed  and  the  seripts  suspeet  any  way.15  It  is  eommon  for  SAs  of  large  networks  to 
push  ehanges  for  large  number  of  routers  using  eentralized  seripts.  So,  for  our  example, 
it  was  determined  that  the  seripts  would  be  managed  eentrally. 

The  next  eonsideration  was  foeused  on  the  gateway  router  and  the  managed 
switeh.  Should  there  be  a  single  eonfiguration  file  loeated  on  the  deviee  that  eontains  all 
of  aeeess  eontrol  lists  (ACLs),  which  function  as  filters  and  self  proteetion  meehanisms, 
15  A  insider  would  not  be  eonsidered  to  have  breaehed  the  perimeter  seeurity. 
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for  every  level  of  the  suggested  INFOCON  and  the  seript  only  ehanges  the  ACL  for  eaeh 
interfaee?  Or  should  there  be  a  eonfiguration  file  for  eaeh  INFOCON  level  that  the  seript 
loads  into  the  deviee? 

It  is  faster  to  just  ehange  the  ACL  for  eaeh  interfaee,  but  then  the  eonfiguration 
files  must  be  kept  on  the  deviee  and  in  another  loeation  for  doeumentation.  Managing  the 
eonfiguration  files  in  a  eentral  loeation  doesn’t  require  the  eonfiguration  files  be  kept  in 
two  plaees,  it  does  require  that  the  entire  eonfiguration  file  be  transferred  to  ehange  the 
level  on  the  deviee.  Maintaining  two  eopies  of  the  same  doeument  presents  the  diffieulty 
of  keeping  those  doeuments  synehronized.  Nothing  is  more  frustrating  and  dangerous 
than  believing  that  the  deviee  is  using  one  eonfiguration  file,  when  it  aetually  has  another. 
Thus,  the  eonfiguration  files  and  the  esealation  seripts  should  be  eentrally  managed. 

B,  PROTOTYPE  NETWORK 

Originally,  the  deviees  and  tool  to  be  prototyped  were  part  of  an  existing,  suitable 
network  in  a  laboratory  environment.  However,  beeause  of  the  unexpeeted  rapid 
development  of  this  network  into  a  bastion  network  an  alternative  had  to  be  improvised. 
A  small  network  was  ereated  for  the  sole  purpose  of  developing  and  testing  the 
predefined  esealation  seripts. 

This  small  network  eonsists  of  a  Ciseo  2600  Router,  Ciseo  2590  Managed  Switeh, 
a  server,  a  user  maehine,  and  an  administrative  maehine.  The  server  is  both  the  TFTP 
server  and  the  Syslog  server.  Unfortunately,  the  gateway  router  for  this  network  does  not 
support  SSH... 

This  will  require  the  use  of  telnet  to  manage  the  seripts,  whieh  is  less  seeure 
beeause  it  transmits  the  passwords  in  the  elear.  The  safeguard  measures  reeommends  the 
use  of  SSH  instead  of  telnet  for  that  reason.  The  eonfiguration  files  have  been  modified 
appropriately  to  allow  telnet  in  this  instanee.  Figure  9  is  the  network  diagram  for  this 
prototype  network. 
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Figure  9.  Prototype  Network  Diagram 


C.  SCRIPTS 

Each  of  the  mechanisms  selected  protect  against  different  threats.  The  gateway 
router  is  the  primary  perimeter  defense  mechanism  that  will  mitigate  the  threat  of  most 
amateur  attackers,  known  as  Script  Kiddies.  The  managed  switch  is  a  second  layer 
perimeter  defense  mechanism  that  mitigates  the  better  Script  Kiddies,  the  insider  threat, 
and  allows  isolation  of  critical  systems.  Syslog  is  a  detection  mechanism  that  will  help 
protect  against  the  insider  threat,  external  threats,  and  mitigate  successful  intrusions  by 
the  analysis  of  the  events  contained  within  its  logs.  [FIOl,  KOOl,  ROOl,  STOl] 

Each  mechanism’s  particular  mitigating  actions  will  be  initiated  by  the  command 
line  escalation  scripts.  The  purpose  of  the  scripts  is  to  allow  a  single  SA  or  SSA  to 
securely  manage  the  security  of  the  entire  network  from  one  location.  These  scripts  are 
proof  of  concepts  to  be  viewed  as  examples.  [FIOl,  KOOl,  ROOl,  STOl] 

There  are  three  scripts,  respectively  called  infocon,  router,  and  switch.  All  of  the 
scripts  are  located  on  one  machine,  the  SA  or  SSA  computer,  and  in  the  same  directory. 
The  main  script,  called  infocon,  was  conceived  so  that  the  “push  a  single  button  concept” 
could  be  accomplished.  It  is  the  controlling  script.  It  calls  the  router  script  and  then  the 
switch  script.  Figure  10  is  a  graphical  representation  of  this  control  flow. 
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Figure  10.  Flow  diagram  of  prototype  seripts 


1,  InfoCon 

This  seript,  whieh  is  takes  the  INFOCON  level  as  an  argument,  ealls  the  deviee 

esealation  seripts  and  passes  the  INFOCON  level  to  the  deviee  esealation  seripts.  So 

with  the  eommand  ‘./infoeon  grave’,  the  gateway  router  and  the  managed  switeh  are 

esealated  to  the  highest  level  of  seeurity.  The  seript  is  as  follows: 

#./infocon  normal 

level=$l 

eeho  $level 

eeho  "updating  router" 

./router  $level  |  telnet 
# 

eeho  " " 
sleep  1 

eeho  "updating  switch" 

# 

./switch  $level  |  telnet 
sleep  1 

# 

#echo  "updating  Webserver" 

./Webserver  $level  |  telnet 
sleep  1 

echo  "updating  complete" 

#end 

[FI01,K001,R001,  STOl] 

2,  Gateway  Router 

The  managed  switch  was  an  old  Cisco  2600.  The  particular  mitigating  actions  to 
be  taken  by  a  gateway  router  are  described  in  Table  1  under  Gateway  Router.  The  actual 
configuration  files  for  each  INFOCON  level  are  included  in  Appendix  H.  The  gateway 
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router  script  also  takes  the  INFOCON  level  as  an  argument  and  is  piped  to  telnet.  The 
command  ‘./router  normal  |  telnet  necessary’  escalates  the  gateway  router  to  the  second 
lowest  level  of  security.  Even  though  the  configuration  files  are  “copied”  into  the 
startup-config  and  the  running-config  fdes,  it  is  not  a  true  copy.  The  Cisco  operating 
system  for  the  router  actually  merges  two  files,  when  one  is  copied  over  the  other.  For 
this  reason,  to  eliminate  the  Access  Control  Lists  (ACEs)  a  configuration  file  without  any 
ACEs,  noACLs.txt,  must  be  copied  over  the  startup-config  and  the  running-config  files 
first. 


The  script  is  as  follows: 

#. /router  normal  |  telnet 

# 

level=$  1 
# 

tftp=10.1.2.10 

# 

# 

rtr=10.1.2.1 

port=23 

# 

RtrPasswd=j  ennifer 

# 

#echo  $rtr 

echo  open  ${rtr}  ${port} 
sleep  1 
#sleep  1 

echo  ${RtrPasswd} 
sleep  1 

# 

sleep  1 

echo  "enable" 
sleep  1 
echo  "thesis" 
sleep  1 

# 

echo  "copy  tftp://$tftp//home/tftp/router/noACL.txt  startup-config" 
sleep  1 

echo  "startup-config" 
sleep  10 

# 

echo  "copy  tftp://$tftp//home/tftp/router/$level.txt  startup-config" 
sleep  1 
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echo  "startup-config" 
sleep  10 

# 

echo  "copy  tftp://$tftp//home/tftp/router/noACL.txt  running-config" 
sleep  1 

echo  "running-config" 
sleep  10 

# 

echo  "copy  startup-config  running-config" 
sleep  2 

echo  "running-config" 
sleep  25 
echo  exit 
#end 

[FI01,K001,R001,  STOl] 

3.  Managed  Switch 

The  managed  switch  was  a  new  Cisco  Catalyst  2590.  The  particular  mitigating 
actions  to  be  taken  by  a  managed  switch  are  described  in  Table  1  under  Managed  Switch. 
This  switch  has  the  ability  to  use  access  lists  to  authenticate  ports.  Not  all  ports  will  have 
this  ability.  The  actual  configuration  files  for  each  INFOCON  level  are  included  in 
Appendix  I.  The  managed  switch  script  also  takes  the  INFOCON  level  as  an  argument 
and  is  piped  to  telnet.  The  command  ‘./switch  normal  |  telnet  normal’  sets  the  managed 
switch  to  the  lowest  level  of  security. 

The  script  is  as  follows: 

#./switch  normal  |  telnet 

# 

level=$l 

# 

tftp=10.1.2.10 

# 

# 

switch=10.1.2.2 

port=23 

# 

SwPasswd=termpassword 

# 

echo  open  $  {switch}  ${port} 
sleep  1 

echo  ${SwPasswd} 
sleep  1 

# 
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echo  "enable" 
sleep  1 
echo  "secret" 
sleep  1 
# 

echo  "copy  tftp://$tftp//home/tftp/switch/$level.txt  startup-config" 
sleep  1 

echo  "startup-config" 
sleep  10 

echo  "copy  startup-config  running-config" 
sleep  2 

echo  "running-config" 
sleep  25 
echo  exit 
#end 

[FI01,K001,R001,  STOl] 

4,  Syslog 

There  are  no  configuration  files  for  the  Syslog  server,  because  its  purpose  is  to 
receive  the  logs  sent  to  it  by  other  network  devices.  It  is  the  central  repository  for  all 
event  logs.  By  having  all  devices  log  to  the  same  location,  this  makes  it  easier  for  the  SA 
or  SSA  to  analyze  the  event  logs  and  detect  a  breach  in  the  network  or  an  insider. 


D,  SUMMARY 

A  small  network  consisting  of  a  Cisco  2600  Router,  Cisco  2590  Managed  Switch, 
a  TFTP  server,  a  Syslog  server,  a  user  machine,  and  an  administrative  machine  was 
created  for  the  development,  testing,  and  implementation  of  the  predefined  escalation 
scripts.  The  router  does  not  support  SSH,  so  the  configuration  files  were  modified 
appropriately. 

There  were  two  considerations  in  the  design  of  the  scripts  that  were  addressed. 
First,  the  predefined  escalation  scripts  would  be  managed  centrally,  locating  them  on  the 
administrator’s  machine.  Secondly,  the  configuration  files  would  be  managed  centrally 
on  the  TFTP  server.  This  allows  the  maximum  ease  of  documentation  and  maintenance. 

The  predefined  escalation  scripts  were  designed,  developed,  tested,  and 
successfully  implemented.  These  scripts  allow  the  suggested  INFOCON  to  protect  the 
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DOD  information  infrastructure  by  employing  proaetive  and  preventive  techniques  in  a 
standardized  manner.  This  standardization  is  part  of  the  foundation  that  allows  the  DOD 
and  its  eomponents  to  aoeomplish  their  mission. 

The  sueeessful  esealation  prototype  eoncept  ean  be  applied  to  other  eomponents 
in  the  network.  An  Apaehe  Web  server,  whieh  is  an  applieation,  was  ineluded  in  the 
prototype  network  to  demonstrate  that  eoneept.  Its  seript  is  detailed  in  Appendix  G.  The 
seript  primarily  alters  the  level  of  logging  that  the  web  server  sends  to  the  Syslog  server. 

Most  applieations,  deviees,  and  tools  have  logging  eapabilities.  So,  the  safeguard 
measures  regarding  logging  for  the  router  eould  be  applied  to  all  applieations,  deviees, 
and  tools  on  the  network.  This  is  an  example  of  how  to  apply  the  esealation  prototype 
eoneept  to  other  eomponents  on  the  network. 
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VII.  CONCLUSIONS 


In  summary,  this  body  of  work  has  presented  the  INFOCON  and  the  foundation 
of  its  evolution.  The  warning  systems  that  influence  the  INFOCON  were  discussed.  The 
analysis  of  the  INFOCON  followed. 

This  analysis  answered  several  thesis  questions.  How  are  the  INFOCON  levels 
defined?  The  INFOCON  levels  are  not  explicitly  defined.  The  probability  of  an  attack 
and  the  severity  of  the  impact  of  an  attack  are  the  implied  methods  of  definition  for  the 
INFOCON  levels  that  were  selected.  These  definitions  lead  into  the  next  question.  How 
are  the  INFOCON  levels  demarcated?  The  method  of  demarcation  of  the  INFOCON 
levels  is  the  risk  posed  to  DOD  information  systems.  There  was  not  a  “cutoff’  criterion 
between  the  layers.  Nor  was  there  a  common  “theme”  that  could  be  leveraged  when 
choosing  the  safeguard  measures  to  be  applied. 

The  analysis  of  the  network  defense  methodologies  answered  several  more 
questions.  What  is  the  current  landscape  of  network  defense  methodologies?  It  revealed 
that  all  of  the  methodologies  were  ad-hoc  and  conducive  to  escalation,  but  none  had  any 
formal  escalation  process. 

Some  of  the  mechanisms  presented  were  conducive  to  a  predefined  escalation 
process.  These  same  mechanisms  could  accommodate  a  semi-automated  predefined 
escalation  process.  This  would  enhance  the  ability  of  the  DOD  to  attain  the  goals  of  the 
INFOCON  system. 

The  suggested  INFOCON  system  is  an  information  warning  system  whose  goal  is 
to  protect  DOD  systems  while  still  supporting  accomplishment  of  the  mission.  Limiting 
the  exposure  of  systems  that  support  the  mission  is  the  stated  method  of  demarcation  for 
its  four  levels.  Its  base  level.  Normal,  represents  a  fully  hardened  information 
infrastructure  whose  defense  is  based  on  the  DID  methodology  and  is  conducting  normal 
day  to  day  operations.  The  next  level.  Necessary,  limits  the  exposure  of  the  MAC  III 
systems  and  should  be  maintainable  indefinitely.  Critical,  which  is  the  third  level,  limits 
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the  exposure  of  MAC  II  systems  and  should  be  maintainable  for  a  reasonable  duration. 
Finally,  Grave  limits  the  exposure  of  MAC  I  systems  and  should  only  be  maintained  for 
the  minimum  possible  time. 

The  eriteria  have  been  separated  into  two  eategories  to  faeilitate  the 
standardization  of  determining  the  INFOCON  level.  The  direet  eorrelation  of  other 
warning  systems  to  eaeh  INFOCON  level  and  the  teehnical  indieators  at  the  eomponent 
level  are  the  two  eriteria  that  are  not  subjeetive.  All  of  the  eriteria  for  the  JTF-CNO  are 
subjeetive  due  to  the  size,  eomplexity,  and  nature  of  the  DOD  information  infrastructure. 

The  suggested  INFOCON  protects  the  DOD  information  infrastructure  by 
proactive  techniques  that  enable  the  accomplishment  of  the  mission.  By  focusing  on  a 
strong  proactive  defense  in  depth  strategy,  the  suggested  INFOCON  incrementally 
lessens  the  exposure  of  the  systems  thereby  making  the  information  infrastructure  more 
secure  against  known  and  future  threats.  This  answers  the  question;  What  is  the 
appropriate  tactical  response  to  each  of  the  INFOCON  levels? 

The  ability  to  secure  the  information  infrastructure  against  known  and  future 
threats  is  one  of  the  suggested  INFOCON  system’s  greatest  benefits.  It  also  offers  the 
users  of  the  system  a  system  designed  from  their  perspective,  thus  allowing  greater  user 
acceptance  and  understanding,  which  are  both  key  to  the  success  of  any  warning  system. 
The  suggested  safeguard  measures  are  specific,  technical,  and  feasible,  which  removes 
ambiguity  and  replaces  it  standardization. 

In  Table  1,  each  area  of  defense  has  devices  associated  with  it  that  mitigate 
implied  or  expected  threats  for  each  of  the  suggested  INFOCON  levels.  Some  of  the 
devices  mentioned  in  the  safeguard  measures  are  good  candidates  for  implementing 
predefined  security  escalation  scripts.  Thus,  another  thesis  question  could  be  answered; 
What  security-implementing  devices  would  make  good  candidates  for  implementing  the 
security  scripts?  Devices  such  as  the  gateway  router,  the  managed  switch,  and  a  Syslog 
server  are  good  candidates  to  receive  escalation  scripts  that  could  be  run  from  one 
machine.  These  devices  were  selected  as  the  prototype  devices. 
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Can  the  safeguard  scripts  be  centrally  managed?  This  was  a  question  that  needed 
to  be  answered  before  the  design  and  development  of  the  predefined  esealation  seripts.  It 
is  less  complicated  and  faster  to  push  changes  for  a  large  number  of  network  components 
using  centralized  scripts.  So,  it  was  determined  that  the  configuration  files  and  the 
escalation  scripts  could  be  centrally  managed. 

The  suggested  INFOCON  is  quite  feasible  technically,  as  demonstrated  by  the 
simplicity  of  the  prototype  scripts.  The  existing  INFOCON  system  is  currently  being  re¬ 
engineered  by  the  JTF-CNO  and  the  suggested  INFOCON  system  could  be  an  option  for 
the  JTF-CNO  to  consider.  It  is  a  fresh  perspective  on  the  warning  system  at  the  very 
least. 

A,  CONCLUSIONS 

The  goal  of  the  INFOCON  system  is  to  protect  DOD  systems  while  still 
supporting  accomplishment  of  the  mission.  The  suggested  INFOCON  system 
accomplishes  that  goal  because  it  is  based  upon  supporting  the  mission.  It  also 
accomplishes  the  goal  of  coordinating  the  overall  defensive  effort  of  the  DOD  through 
adherence  to  criteria  and  demarcation  standards  provided  by  the  Mission  Assurance 
Categories. 


B,  FUTURE  WORK 

There  are  several  areas  for  future  work,  research,  and  development.  Here  are  just 

a  few: 

•  Working  with  the  JTF-CNO  to  develop  the  next  INFOCON  system. 

•  In  depth  analytical  assessment  of  the  relationship  among  the  numerous 
warning  systems. 

•  Analysis  and  development  of  reporting  procedure  to  better  integrate  the 
existing  warning  systems. 

•  Development  of  real-time  automated  log  auditing. 
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•  Development  of  a  sound  teehnique  of  auditing  logs  to  reveal  insider  threats. 

•  Feasibility  study  of  integrating  the  INFOCON  into  the  DITSCAP. 

•  Formal  mathematical  analysis  (Ph.D.  level  research)  of  the  demarcation  of  the 
INFOCON  levels. 

•  Development  of  an  efficient  event  reporting  procedure  between  JTF-CNO  and 
the  DOD  components  in  regards  to  the  INFOCON. 
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APPENDIX  A  -  ACRONYMS 


ACL . Access  Control  List 

ARPANET. .  .Advanced  Researeh  Projeets  Ageney  Network 

CJCS . Chairman  of  the  Joint  Chiefs  of  Staff 

CNA . Computer  Network  Attaek 

CNA  WATCHCON. . . .  Computer  Network  Attaek  Wateh  Condition 

COTS . Commereial  off  the  Shelf 

DEFCON....  Defense  Readiness  Condition 

DID . Defense  in  Depth 

DII . DOD  information  infrastrueture 


DITSCAP....DOD  Information  Teehnology  Seeurity  Certifieation  & 
Aeereditation  Proeess 


DOD . Department  of  Defense 

DoS . Denial  of  Serviee 

BMP . Eleetromagnetie  pulse 

FPCON . Foree  Protection  Condition 

GAO . General  Aeeounting  Offiee 

HSAS . Homeland  Seeurity  Advisory  System 

I&W . Indieations  and  Warning 

IDS . Intrusion  Deteetion  System 

INFOCON. ..Information  Operations  Condition 

lA . Information  Assuranee 

IP . Internet  Protoeol 
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IPsec . Internet  Protoeol  Seeurity 

IS . Information  System 


JTF-CND. .  Joint  Task  Foree,  Computer  Network  Defense 

JTF-CNO. .  Joint  Task  Foree,  Computer  Network  Operations(formerly  JTF-CND) 


QoSS . Quality  of  Seeurity  Serviee 

PPSM . Ports,  Protoeols,  and  Serviee  Management 

SA . System  Administrator 

SeeDef . Seeretary  of  Defense 

SSA . System  Seeurity  Administrator 

SSH . Seeure  Shell 

TCP . Transmission  Control  Protoeol 


THREATCON. .  .Terrorist  Threat  Condition 
WATCHCON. . . .Wateh  Condition 
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APPENDIX  B  -  TERMS  AND  CONCEPTS 


Accreditation  —  It  is  the  authorization  granted  by  the  designated  approving  authority  that 
permits  a  DOD  system  to  proeess,  store,  and/or  transmit  information.  It  is  based  upon 
information  gathered  during  the  eertifieation  proeess  and  eoncerns  the  proteetion  and 
defense  of  the  information  and/or  the  system.  [BUG  I] 

Availability  —  The  eoneept  of  information  assurance  that  guarantees  that  the  information 
or  serviee  is  aceessible  (available)  when  it  is  sought. 

Certifieation  —  The  eomprehensive  evaluation  of  the  teehnieal  and  non-teehnieal 
seeurity  features  of  a  system  and  other  safeguards  to  establish  the  extent  to  whieh  a 
partieular  design  and  implementation  meets  a  set  of  speeified  seeurity  requirements. 
[BUOl] 

Information  Assuranee  —  “Measures  that  proteet  and  defend  information  and 
information  systems  by  ensuring  their  availability,  integrity,  authentieation, 
eonfidentiality,  and  non-repudiation.”  [DODOS] 

Integrity  —  The  eoneept  of  information  assuranee  that  assures  that  there  is  no 
unauthorized  modifieation  or  deletion  of  data. 

Internet  Protoeol  —  A  set  of  rules  designed  for  use  in  intereonneeted  systems  of  paeket 
switehed  eomputer  eommunieation  networks.  [IN02] 

Internet  Protoeol  Address  —  A  numerieal  address,  expressed  in  the  format  speeified  in 
the  Internet  Protoeol,  for  deviees  and  resourees.  [FUOl] 

IP  Address  —  See  “Internet  Protoeol  Address”. 

IPsee  —  A  tunneling  protoeol  used  primarily  by  VPNs. 

Transmission  Control  Protoeol  —  A  set  of  rules  that  works  in  eonjunetion  with  IP  that 
defines  how  data  is  sent  in  the  form  of  message  units  between  eomputers  over  a 
paeket  switehed  eomputer  eommunieation  networks.  IP  handles  the  aetual  delivery  of 
the  data.  TCP  traeks  the  individual  units  of  data,  whieh  is  ealled  a  paeket,  that  a 
message  is  divided  into  for  efficient  routing  through  the  paeket  switehed  eomputer 
communication  network.  [FUOl] 

Virtual  Private  Network  (VPN)  —  A  virtual  private  network  that  is  a  secure 
eommunieations  ehannel  for  data  networking  ineorporating  IPsee. 


59 


THIS  PAGE  INTENTIONALLY  LEET  BLANK 


60 


APPENDIX  C  -  INFOCON  ENCLOSURE  (source  rao2) 


1.  Purpose.  The  Information  Operations  Condition  (INFOCON)  recommends  actions  to 
uniformly  heighten  or  reduce  defensive  posture,  to  defend  against  computer  network 
attacks,  and  to  mitigate  sustained  damage  to  the  DOD  information  infrastructure, 
including  computer  and  telecommunications  networks  and  systems.  The  INFOCON  is  a 
comprehensive  defense  posture  and  response  based  on  the  status  of  information  systems, 
military  operations,  and  intelligence  assessments  of  adversary  capabilities  and  intent. 
The  INFOCON  system  impacts  all  personnel  who  use  DOD  information  systems, 
protects  systems  while  supporting  mission  accomplishment,  and  coordinates  the  overall 
defensive  effort  through  adherence  to  standards. 

2.  Description.  The  INFOCON  system  presents  a  structured,  coordinated  approach  to 
defend  against  and  react  to  adversarial  attacks  on  DOD  computer  and  telecommunication 
networks  and  systems.  While  all  communications  systems  are  vulnerable  to  some  degree, 
factors  such  as  low-cost,  readily  available  information  technology,  increased  system 
connectivity,  and  standoff  capability  make  computer  network  attack  (CNA)  an  attractive 
option  to  our  adversaries  at  present.  The  DOD  INFOCON  criteria  and  response  actions 
may  be  expanded  at  a  later  date  to  include  all  forms  of  information  operations.  CNA  is 
defined  as  “operations  to  disrupt,  deny,  degrade,  or  destroy  information  resident  in 
computers  and  computer  networks,  or  the  computers  and  networks  themselves.” 
INFOCON  also  outlines  countermeasures  to  scanning,  probing,  and  other  suspicious 
activity;  unauthorized  access;  and  data  browsing.  DOD  INFOCON  measures  focus  on 
computer  network-based  protective  measures,  due  to  the  unique  nature  of  CNA 
(reference  paragraph  5).  Each  level  reflects  a  defensive  posture  based  on  the  risk  of 
impact  to  military  operations  through  the  intentional  disruption  of  friendly  information 
systems.  INFOCON  levels  are  NORMAL  (normal  activity),  ALPHA  (increased  risk  of 
attack),  BRAVO  (specific  risk  of  attack),  CHARLIE  (limited  attack),  and  DELTA 
(general  attack).  Countermeasures  at  each  level  include  preventive  actions,  actions  taken 
during  an  attack,  and  damage  control/mitigating  actions. 

3.  Authority.  The  INFOCON  system  is  established  by  the  Secretary  of  Defense,  and 
administered  through  the  Director  for  Operations,  Joint  Staff  (J-3).  The  INFOCON 
system  will  be  administered  through  the  Commander,  Joint  Task  Force  for  Computer 
Network  Defense  (JTF-CND),  when  the  JTF-CND  reaches  initial  operational  capability 
(IOC).  All  combatant  commands.  Services,  directors  of  Defense  and  combat  support 
agencies  will  develop  supplemental  INFOCON  procedures  as  required,  specific  to  their 
command  and  in  consonance  with  this  guidance.  Subordinate  and  operational  unit 
commanders  will  use  the  INFOCON  procedures  developed  by  their  higher  headquarters 
(e.g.,  combatant  commands  or  Services).  Existing  policy  and  procedures  on 
communications  security  (COMSEC)  may  be  integrated  into  local  INFOCON  procedures 
at  the  commander’s  discretion. 
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4.  Applicability.  This  document  provides  guidanee  for  standardized  proeedures  and  sets 
responsibilities  for  authorizing  and  eommunieating  INFOCONs  as  part  of  information 
operations  (10)  throughout  the  Department  of  Defense.  The  information  eontained  herein 
applies  to  the  Joint  Staff;  Services;  eombatant  commands;  Defense  agencies;  and  joint, 
combined,  and  other  DOD  activities  throughout  the  entire  eonflict  speetrum  —  peaeetime 
through  war. 

5.  Assumptions.  Several  eritieal  assumptions  were  made  about  the  nature  of  eomputer 
network  attaek  (CNA)  in  developing  the  DOD  INFOCON  system.  Understanding  these 
assumptions  is  essential  to  effeetively  implement  this  system. 

a.  Shared  Risk.  In  today’s  network-eentric  environment,  risk  assumed  by  one  is 
risk  shared  by  all.  Unlike  most  other  military  operations,  a  suecessful  network  intrusion 
in  one  area  of  responsibility  (AOR)  may,  in  many  oases,  faoilitate  aooess  into  other 
AORs.  This  neoessitates  a  oommon  understanding  of  the  situation  and  responses 
assooiated  with  the  deolared  DOD  INFOCON.  These  actions  must  be  oarried  out 
oonourrently  in  all  AORs  for  an  effective  defense. 

b.  Advance  Preparation.  Preparation  is  key,  given  the  speed  and  reduced 
signature  of  CNA.  Proteotive  measures  must  be  planned,  prepared,  exeroised,  and  often 
executed  well  in  advanoe  of  an  attaek.  Preventive  measures  are  emphasized  in 
INFOCON  responses  beoause  there  may  be  little  time  to  reaot  effeetively  during  the 
attaek.  Prevention  of  system  oompromise  (see  Appendix  C  for  various  advisories  to 
eonsider)  is  preferable,  but  may  not  be  achievable. 

e.  Anonymity  of  Attaeker.  Attributing  the  attaek  to  its  ultimate  souree,  if 
possible,  will  normally  not  oecur  until  after  the  attack  has  been  executed.  This  limits  the 
range  and  type  of  options  available  to  military  decision  makers.  To  effectively  operate  in 
this  environment,  knowledge  of  the  adversary’s  identity  eannot  be  a  prerequisite  to 
exeeution  of  defensive  strategies  and  taeties. 

d.  Characterization  of  the  Attack.  Distinguishing  between  hacks,  attacks,  system 
anomalies,  and  operator  error  may  be  diffieult.  The  most  prudent  approaeh  is  to  assume 
malieious  intent  until  an  event  is  assessed  otherwise.  (See  Appendix  C  for  various 
assessments  to  consider.) 

6.  Strueture.  This  paragraph  explains  the  INFOCON  strueture,  ineluding  level,  brief 
deseription,  eriteria  to  deelare,  and  reeommended  aetions.  The  eriteria  listed  are  broad 
guidanee  for  the  eommander  to  eonsider  when  deelaring  an  INFOCON,  not  eonerete 
thresholds.  All  criteria  for  a  particular  INFOCON  need  not  be  met  to  change  to  that 
level.  More  detailed  explanation  of  routine  seeurity  measures  sueh  as  internal  seeurity 
reviews  and  external  vulnerability  assessments  are  loeated  in  Appendix  A,  General 
Security  Practices. 
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LABEL 

CRITERIA 

RECOMMENDED  ACTIONS 

NORMAL 

Normal 

Activity 

No  significant  activity. 

•  Ensure  all  mission  critical  information  and  information 
systems  (including  applications  and  databases)  and  their 
operational  importance  are  identified. 

•  Ensure  all  points  of  access  and  their  operational  necessity 
are  identified. 

•  On  a  continuing  basis,  conduct  normal  security  practices. 
For  example: 

•  Conduct  education  and  training  for  users,  administrators, 
and  management. 

•  Ensure  an  effective  password  management  program  is  in 
place. 

•  Conduct  periodic  internal  security  reviews  and  external 
vulnerability  assessments. 

•  Conduct  normal  auditing,  review,  and  file  back-up 
procedures. 

•  Confirm  the  existence  of  newly  identified  vulnerabilities 
and  install  patches. 

•  Employ  normal  reporting  procedures  lAW  para  7d. 

•  Periodically  review  and  test  higher  level  INFOCON 
actions. 

ALPHA 

Increased 
Risk  of 
Attack 

•  Indications  and  warning 
(I&W)  indicate  general 
threat. 

•  Regional  events 
occurring  which  affect 
U.S.  interests  and 
involve  potential 
adversaries  with 
suspected  or  known 

CNA  capability. 

•  Military  operation, 
contingency  or  exercise 
planned  or  ongoing 
requiring  increased 
security  of  information 
systems. 

•  Information  system 
probes,  scans  or  other 
activities  detected 
indicating  a  pattern  of 
surveillance. 

•  Accomplish  all  actions  required  at  INFOCON  normal. 

•  Execute  appropriate  security  practices  (see  Appendix  A). 
For  example: 

•  Increase  level  of  auditing,  review,  and  critical  file  back-up 
procedures. 

•  Conduct  internal  security  review  on  all  critical  systems. 

•  Heighten  awareness  of  all  information  system  users  and 
administrators. 

•  Execute  appropriate  defensive  tactics. 

•  Employ  normal  reporting  procedures  lAW  para  7d. 

•  Review  and  test  higher  level  INFOCON  actions,  and 
consider  proactive  execution. 

BRAVO 

Specific 

Risk  of 
Attack 

•  I&W  indicate  targeting 
of  specific  system, 
location,  unit  or 
operation. 

•  Major  military  operation 
or  contingency,  planned 
or  ongoing. 

•  Significant  level  of 
network  probes,  scans  or 
activities  detected 

•  Accomplish  all  actions  required  at  INFOCON  ALPHA. 

•  Execute  appropriate  security  practices  (see  Appendix  A). 
For  example: 

•  Increase  level  of  auditing,  review,  and  critical  file  back-up 
procedures. 

•  Conduct  immediate  internal  security  review  on  all  critical 
systems. 

•  Confirm  existence  of  newly  identified  vulnerabilities  and 
install  patches. 

•  Disconnect  unclassified  dial-up  connections  not  required 

63 


indicating  a  pattern  of 

concentrated 

reconnaissance. 

•  Network  penetration  or 
denial  of  service 
attempted  with  no 
impact  to  DOD 
operations. 

for  current  operation. 

•  Execute  appropriate  defensive  tactics. 

•  Ensure  increased  reporting  requirements  are  met  lAW  para 
7d. 

•  Review  and  test  higher  level  INFOCON  actions,  and 
consider  proactive  execution. 

CHARLIE 

Limited 

Attack(s) 

•  Intelligence  attack 
assessment(s)  indicate  a 
limited  attack. 

•  Information  system 
attack(s)  detected  with 
limited  impact  to  DOD 
operations: 

•  Minimal  success, 
successfully 
counteracted. 

•  Little  or  no  data  or 
systems  compromised. 

•  Unit  able  to  accomplish 
mission. 

•  Accomplish  all  actions  required  at  INFOCON  BRAVO. 

•  Execute  appropriate  response  actions.  For  example: 

•  Conduct  maximum  level  of  auditing,  review  and  critical 
file  back-up  procedures. 

•  Consider  minimize  on  appropriate  computer  networks  and 
telecommunications  systems  (limit  traffic  to  mission 
essential  communication  only).  (Ssee  Appendix  E,  ref.  e, 
CJCSI  6900.01A) 

•  Reconfigure  information  systems  to  minimize  access 
points  and  increase  security. 

•  Reroute  mission-critical  communications  through 
unaffected  systems. 

•  Disconnect  non-mission  essential  -critical  networks 

•  Employ  alternative  modes  of  communication  and 
disseminate  new  contact  information. 

•  Execute  appropriate  defensive  tactics. 

•  Ensure  increased  reporting  requirements  are  met  lAW  para 
7d. 

•  Review  and  test  higher  level  INFOCON  actions,  and 
consider  proactive  execution. 

DELTA 

General 

Attack(s) 

•  Successful  information 
system  attack(s)  detected 
which  impact  DOD 
operations. 

•  Widespread  incidents 
that  undermine  ability  to 
function  effectively. 

•  Significant  risk  of 
mission  failure. 

•  Accomplish  all  actions  required  at  INFOCON  CHARLIE. 

•  Ensure  increased  reporting  requirements  are  met  lAW  para 
7d. 

•  Execute  applicable  portions  of  continuity  of  operations 
plan  (Ssee  Appendix  E,  ref  f,  DODD  3020.26, 

Ccontinuity  of  Ooperations,  Ppolicy  and  Pplanning). 

•  Designate  alternate  information  systems  and  disseminate 
new  communication  procedures  internally  and  externally. 

•  Execute  procedures  for  ensuring  graceful  degradation  of 
information  systems. 

•  Implement  procedures  for  conducting  operations  in  "stand¬ 
alone"  mode  or  manually. 

•  Isolate  compromised  systems  from  rest  of  network. 

•  Execute  appropriate  defensive  tactics. 

7.  Procedures 

a.  Determining  the  INFOCON.  There  are  three  broad  eategories  of  faetors 
that  influenee  the  INFOCON;  operational,  technieal,  and  intelligenee,  ineluding  foreign 
intelligenee  and  law  enforeement  intelligenee.  Some  faetors  may  fall  into  more  than  one 
eategory.  The  INFOCON  level  is  based  on  signifieant  ehanges  in  one  or  more  of  them. 
Appendix  C  deseribes  several  factors  that  may  be  eonsidered  when  determining  the 
INFOCON.  DOD  organizations  are  frequently  eonfronted  with  unauthorized  aecess  to 
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information  systems.  The  deeision  to  change  the  INFOCON  should  be  tempered  by  the 
overall  operational  and  security  context  at  that  time.  For  example,  an  intruder  could  gain 
unauthorized  access  and  not  cause  damage  to  systems  or  data.  This  may  only  warrant 
INFOCON  ALPHA  or  NORMAL  during  peacetime,  but  may  warrant  INFOCON 
CHARLIE  during  a  crisis;  or  it  may  warrant  a  high  INFOCON  at  the  affected  unit,  but 
not  throughout  the  command  or  the  Department  of  Defense  as  a  whole. 

b.  Declaring  INFOCONs.  The  Joint  Staff  J3/Commander,  JTF-CND  (CJTF) 
will  recommend  changes  in  DOD  INFOCON  through  the  CJCS  to  the  SecDef  lAW 
paragraph  3.  Assimilation  and  evaluation  of  information  to  assess  the  CND  situation 
DOD-wide  will  be  a  collaborative  effort  focused  at  the  Joint  Staff/JTF-CND.  The 
Secretary  of  Defense  may  delegate  declaration  authority  to  the  J-3/CJTF.  Commanders 
are  responsible  for  assessing  the  situation  and  establishing  the  proper  INFOCON  based 
on  evaluation  of  all  relevant  factors.  Commanders  may  change  the  INFOCON  of  their 
organizations;  however,  they  must  remain  at  least  as  high  as  the  current  INFOCON 
directed  by  SecDef  or  the  Chairman  of  the  Joint  Chiefs  of  Staff.  The  commander  will 
report  changes  in  INFOCON  lAW  subparagraph  7d. 

c.  Response  Measures.  Response  measures  associated  with  INFOCONs  are 
normally  recommended  actions  unless  specifically  directed  by  SecDef  Ideally,  CND 
operations  will  be  based  on  advanced  warning  of  an  attack.  The  intelligence  community 
is  developing  a  capability  to  provide  warning  which  will  become  of  increasing  value  as  it 
matures.  Measures  should  be  commensurate  with  the  risk,  the  adversary’s  assessed 
capability  and  intent,  and  mission  requirements.  Over-aggressive  countermeasures  may 
result  in  self-inflicted  degradation  of  system  performance  and  communication  ability, 
which  may  contribute  to  the  adversary’s  objectives.  Commanders  must  also  consider  the 
impact  imposing  a  higher  INFOCON  for  their  command  will  have  on  connectivity  with 
computer  networks  and  systems  of  other  commands.  Combatant  commands  will  notify 
the  Joint  Staff  if  recommended  or  directed  response  measures  conflict  with  theater 
priorities.  Additionally,  response  measures  directed  by  combatant  commands  will  take 
precedence  over  response  measures  directed  by  Service  INFOCONs  when  applicable. 
Regardless  of  the  INFOCON  level  declared  at  the  affected  site,  it  is  incumbent  upon  the 
affected  site  to  report  all  unauthorized  accesses  in  a  timely  manner  lAW  subparagraph 
7d. 


d.  Reporting.  Technical  reporting  will  be  accomplished  lAW  reference  A. 
Report  violations  of  the  law  (such  as  unauthorized  access  to  military  computer  networks 
and  systems)  to  servicing  military  counterintelligence  organizations  lAW  DODI  5240.6, 
“Counterintelligence  Awareness  and  Briefing  Program,”  and  with  local  and 
Service/command  policy.  However,  INFOCONs  assess  potential  and/or  actual  impact  to 
DOD  operations  and  must  be  reported  through  operational  channels.  Additional  guidance 
on  INFOCON  reporting  follows. 
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(1)  Reporting  Channels.  Combatant  eommands,  Services,  and  DOD 
agencies  will  report  INFOCON  changes  and  summary  reports  to  the  Joint  Staff  through 
the  National  Military  Command  Center  (NMCC): 

CJCS  NMCC  WASHINGTON  DC//J3/J33/J39// 

Combatant  commands,  Services,  and  DOD  agencies  will  designate  a  reporting 
authority  and  establish  reporting  procedures  for  organizational  entities  under  their 
jurisdictions.  Service  entities  under  the  operational  control  of  a  combatant  command  will 
follow  the  reporting  instructions  of  that  combatant  command.  Individual  Service  policy 
may  require  information  copies  to  higher  Service  headquarters.  Those  entities  not 
reporting  directly  to  a  CINC  will  follow  Service-reporting  procedures  (usually  to  the 
Service  operations  center,  which  would  then  forward  the  information  to  the  NMCC). 

(2)  Reporting  Frequency.  Services,  combatant  commands,  and 
Defense  agencies  will  report  INFOCON  changes  to  the  NMCC  NLT  4  hours  after  the 
INFOCON  has  changed.  Provide  whatever  information  is  available  at  the  time  and 
indicate  fields  that  are  unknown  or  unavailable.  Report  information  missing  from  the 
initial  report  in  a  follow-up  report  when  it  becomes  available.  Services,  combatant 
commands,  and  Defense  agencies  may  dictate  more  frequent  internal  reporting  to 
subordinate  components. 

(3)  Report  Formats.  Reports  of  changes  in  INFOCON  should  be 
accompanied  by  an  operational  assessment  of  the  situation  when  appropriate.  Appendix 
D  outlines  a  process  for  assessing  the  operational  impact  of  a  computer  network  attack. 
Reports  will  include,  as  a  minimum: 

(a)  For  all  INFOCONs:  unit/organization  and  location,  date/time 
of  report,  current  INFOCON,  reason  for  declaration  of  this  INFOCON,  response  actions 
taken,  POC  (name,  rank,  duty  title,  contact  information). 

(b)  INFOCON  BRAVO  and  higher.  All  of  the  above,  plus: 
unit/organization  mission,  current  operation(s)  (name,  type,  and  AOR)  unit  is  supporting, 
upcoming  operation(s)  (name,  type,  AOR,  and  dates)  unit  is  projected  to  support.  Service 
computer  emergency/incident  response  team  (CERT/CIRT)  or  DISA  Automated  Systems 
Security  Incident  Support  Team  (ASSIST)  incident  number  and  law  enforcement  agency 
(LEA)  case  number  with  POC  contact  information. 

(c)  INEOCON  CHARLIE  and  higher.  All  of  the  above,  plus: 
system(s)  affected  (network,  classification,  application,  database/data  file),  degree  to 
which  operational  functions  are  affected  (command  and  control;  intelligence,  surveillance 
and  reconnaissance;  movement/maneuver;  sustainment;  fires;  and  protection),  impact 
(actual  and/or  potential)  on  current/planned  missions  and/or  general  capabilities, 
restoration  priorities,  workarounds. 
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(4)  Dissemination  of  DOD  INFOCON.  The  Joint  Staff/JTF-CND  will 
send  notification  to  combatant  commands,  Services,  and  agencies  when  the  DOD 
INFOCON  is  changed.  Commands,  Services,  and  agencies  are  responsible  for  notifying 
units  assigned  to  them.  Notification  will  include  the  following  information: 


(a)  Date/time  of  report. 

(b)  Current  INFOCON. 

(c)  Reason  for  declaration  of  this  INFOCON. 

(d)  Current/planned  operation(s)  or  capabilities,  units/organizations, 
networks,  systems,  applications  or  data  assessed  to  be  impacted  or  at  risk. 

(e)  Recommended  or  SecDef-directed  actions. 

(f)  References  to  relevant  technical  advisories,  intelligence  assessments. 


(g)  POC  contact  information. 


8.  Security.  Classification  guidance  and  disclosure  policy  concerning  10  is  addressed  in 
reference  c.  Specific  guidance  related  to  INFOCON  follows. 


a.  INFOCON  labels  and  descriptions  are  unclassified. 


b.  Generic  defensive  measures,  when  not  tied  to  a  specific  INFOCON,  are 
unclassified.  Specific  measures  may  be  published  in  a  classified  appendix,  if  required. 


c.  Measures  to  be  taken  by  all  personnel,  regardless  of  INFOCON,  are 
unclassified. 


d.  General  criteria  to  declare  an  INFOCON  are  FOR  OFFICIAL  USE  ONLY 
(FOUO).  Specific  criteria  may  be  published  in  a  classified  appendix,  if  required. 

e.  Classification  of  the  measures  associated  with  a  particular  INFOCON  is  the 
responsibility  of  the  originator  and  will  be  classified  according  to  content.  However,  the 
measures  associated  with  a  particular  INFOCON,  in  aggregate,  may  require  a  higher 
classification  than  the  individual  measures.  The  measures  associated  with  a  particular 
INFOCON,  in  aggregate,  will  be  FOUO  at  a  minimum. 

f  The  operational  impact  of  a  successful  information  attack  is  classified 
SECRET  or  higher. 

g.  CNA  intelligence  assessments  are  classified  SECRET  or  higher. 

h.  Information  associated  with  an  ongoing  criminal  investigation  of  a  CNA  may 
be  considered  law-enforcement  sensitive. 


i.  A  combatant  command.  Service,  or  agency  may  authorize  release  of  its 
INEOCON  system  and  procedures  to  allies  or  coalition  partners  as  necessary  to  ensure 
effective  protection  of  its  information  systems.  Locally  developed  INFOCON  procedures 
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should  use  DODI  3600.2  and  the  guidance  above  when  considering  release  to  allies  or 
coalition  partners. 


j.  Changes  in  INFOCON  are  operational  security  (OPSEC)  indicators  and  must 
be  protected  accordingly.  The  criteria  and  response  measures  are  also  of  value  to  foreign 
intelligence  Services  in  assessing  the  effectiveness  of  a  CNA  and  in  analyzing  DOD’s 
response.  Do  not  post  INFOCON  procedures  in  publicly  accessible  locations  such  as  unit 
web  pages  on  unclassified  networks  and  bulletin  boards  accessible  to  outsiders. 

9.  Relationship  of  INFOCON  to  Other  Alert  Systems.  The  INFOCON, 
THREATCON,  DEECON,  CNA-WATCHCON,  and  conventional  WATCHCON  all 
interact  with  each  other  when  the  situation  warrants  it.  The  INFOCON  may  be  changed 
based  on  the  world  situation  (THREATCON,  DEECON),  the  intelligence  community’s 
level  of  concern  (CNA-WATCHCON,  conventional  WATCHCON),  or  other  factors 
(reference  Appendix  C).  Eikewise,  a  change  in  INEOCON  may  prompt  a  corresponding 
change  in  other  alert  systems. 

a.  The  defense  condition  (DEECON)  is  a  uniform  system  of  progressive 
conditions  describing  the  types  of  actions  required  to  bring  a  command’s  readiness  to  the 
level  required  by  the  situation  (reference  d). 

b.  The  threat  condition  (THREATCON)  is  a  process  that  sets  the  level  for  a 
terrorist  threat  condition  at  a  given  location,  based  on  existing  intelligence  and  other 
information. 

c.  A  watch  condition  (WATCHCON)  is  part  of  the  defense  warning  system 
indicating  the  degree  of  intelligence  concern  with  a  particular  warning  problem. 

d.  A  CNA-WATCHCON  is  an  intelligence  assessment  that  takes  into  account 
CNA  threat  levels,  as  well  as  the  overall  political  situation  (reference  b). 

e.  The  INEOCON  addresses  risk  of  attack  and  protective  measures  for 
information  and  information  systems. 

10.  Assessment 


a.  Exercises.  INEOCON  procedures  should  be  practiced  in  all  joint  and/or 
combatant  command  exercises. 

b.  Combatant  commands.  Services,  and  agencies  are  requested  to  submit 
feedback  to  the  Joint  Staff  on  the  effectiveness  of  the  INEOCON  system  based  on  real- 
world  and  exercise  data.  The  Joint  Staff  will  review  the  system  periodically  to  ensure  it 
satisfies  operational  requirements. 
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1 1 .  These  proeedures  are  effeetive  immediately  and  will  remain  in  effect  until  superseded 
by  DOD  instruction. 

12.  List  of  Appendixes 

a.  General  Security  Practices. 

b.  Defensive  Tactics. 

c.  Factors  Influencing  the  INFOCON.  See  Annex  A  to  Appendix  C:  CNA 
Intelligence  Assessment  Sample  Format. 

d.  Operational  Impact  Assessment. 
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APPENDIX  A  -  GENERAL  SECURITY  PRACTICES 


Listed  below  are  several  measures  that  ean  signilieantly  reduee  the  risk  of 
sueeessful  attack  against  a  critical  information  system.  These  activities  should  be  the 
foundation  of  a  sound,  prevention-based  information  assurance/security  program. 

a.  System  Security  Administration.  All  DOD  activities  must  ensure  their 
systems  are  administered  by  technically  qualified,  experienced  personnel  who  are 
provided  periodic  professional  training  in  system  administration  and  security,  as  well  as 
the  necessary  tools  to  assist  in  effective  baseline  management,  auditing,  and  network 
intrusion  detection.  Configuration  management,  proper  staffing,  and  strong  systems 
policies  are  critical  to  reliable  and  secure  operations. 

b.  Auditing/Log  Review.  All  DOD  activities  should  regularly  review  audit 
logs  for  suspicious  activity,  lAW  Appendix  E,  reference  a  and  locally  existing  guidance. 
Logging  and  review  requirements  may  increase  with  increases  in  INFOCON,  including 
more  frequent  reviews,  focused  string  searches,  analysis  of  activity  below  normal  trigger 
thresholds,  and  submission  of  logs  to  an  organization  designated  to  conduct  specialized 
reviews. 


c.  Critical  File  Back-up  Procedures.  All  DOD  activities  should  conduct 
periodic  back-ups  of  files  critical  to  mission  accomplishment,  lAW  Appendix  E, 
reference  a  and  locally  existing  guidance.  Storage  of  back-up  files  should  be  isolated 
from  any  network  and  physically  separated  from  the  originating  facility.  Increases  in 
INFOCON  may  warrant  changes  in  the  frequency  of  back-ups  from  quarterly,  monthly, 
or  weekly  to  daily  or  real-time. 

d.  Internal  Security  Reviews.  All  DOD  activities  should  establish  procedures 
for  conducting  internal  security  reviews,  lAW  reference  a  and  locally  existing  guidance. 
These  reviews  should  consist  of,  as  a  minimum,  the  following  actions: 

(1)  Check  password  strengths  (searching  for  default  and  weak  passwords). 

(2)  Review  pertinent  technical  advisories;  install  patches,  implement  fixes, 
execute  preventive/mitigating  actions. 

(3)  Conduct  information  system  vulnerability  scans. 

(4)  Identify  network  access  points  and  their  operational  importance. 

(5)  Raise  awareness  level  of  all  users  as  new  vulnerabilities  are  found. 

(6)  Examine  historically  dormant/inifequently  used  accounts  for  signs  of 
unusual  activity. 

e.  External  Vulnerability  Assessments.  All  DOD  activities  should  establish 
procedures  for  coordinating  with  outside  agencies  (e.g..  Service  CERTs/CIRTs,  DISA, 
and  NS  A)  to  conduct  vulnerability  assessments  and  analyses  of  their  information 
systems,  lAW  existing  guidance.  These  assessments  may  include  network  scans,  OPSEC 
surveys,  COMSEC  reviews,  and  red  team  operations. 
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APPENDIX  B  -  DEFENSIVE  TACTICS 


1.  The  following  list  of  defensive  taetics  offers  possible  responses  to  several 
types  of  suspieious/unauthorized  aetivity.  Defensive  taeties  should  not  be  exeeuted 
without  some  knowledge  of  the  degree  to  whieh  an  intruder  has  penetrated  the  system 
and  eareful  eonsideration  of  the  potential,  practieal  and  legal  eonsequenees.  For  instanee, 
ehanging  passwords  to  look  out  unauthorized  aocess  to  valid  aooounts  may  not  be  prudent 
if  a  sniffer  has  been  installed  whieh  oan  oapture  the  new  passwords. 

2.  Types  of  Aetivity.  Adversary  aetivity  may  be  categorized  as 
reconnaissance/suspicious  activity,  unauthorized  access,  denial  of  service,  data  browsing, 
data  corruption,  and  malicious  code.  Conducting  activities  such  as  data  browsing  and 
data  corruption  is  dependent  upon  gaining  access  to  the  system.  Therefore,  actions  that 
prevent  or  halt  unauthorized  access  might  also  be  used  to  counteract  data  browsing  and 
corruption. 

3.  General  Actions.  The  following  actions  may  or  may  not  be  valid  responses 
to  several  or  all  types  of  malicious  activity.  The  decision  whether  or  not  to  employ  them 
depends  on  the  severity  of  the  attack,  and  the  practical  and  legal  issues  relating  to  such 
actions. 


a.  Disseminate  reports/alert  messages  with  suspicious  Internet  Protocol  (IP) 
addresses,  attack  profiles/signatures. 

b.  Review  thresholds  for  defensive  systems  (e.g.,  firewalls)  and  update  for 
new/detected  threats. 

c.  Freeze/eliminate  compromised  or  unauthorized  accounts. 

d.  Isolate  affected  network  segment. 

e.  Re-route  intruder  to  dummy  network. 

f.  Jam  communication  lines. 

g.  Review  thresholds  for  defensive  systems  and  update  for  new/detected 

threats. 

h.  Tag  critical  files. 

i.  Block  offending  IP  addresses/telephone  lines. 

j.  Isolate  compromised  portions  of  affected  system  and  monitor/log  all 

activity. 
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k.  Re-route  intruder  to  a  deeoy  system  and  eontinue  logging  activity. 


l.  Refer  to  identified  technical  advisories/alerts  (Service  CERTs/CIRTs, 
DISA  ASSIST,  NSA IPC,  etc.). 

m.  Recall  key  information  system  security  personnel. 

n.  Activate  crisis  action  team  to  respond  to  impact  of  adversary  CNA. 

4.  Reconnaissance/Suspicious  Activity 

a.  Description.  Automated  scans/manual  probes  of  networks  to  ascertain  if 
the  target  system  has  known  vulnerabilities  or  to  get  general  information  about  the  target 
system. 


b.  Possible  defensive  actions  include  reconstructing  the  scan/probing  to 
determine  what  information  was  revealed,  monitoring  all  incoming  activity  from  the 
source  IP  address,  blocking  all  access  from  the  source  IP  address. 

5.  Denial  of  Service 


a.  Description:  any  action  that  causes  all  or  part  of  the  affected  network’s 
service  to  be  stopped  entirely,  interrupted,  or  degraded  sufficiently  to  impact  network 
operations.  Service  may  be  denied  by  crashing  the  system,  jamming  it  with  packets,  or 
consuming  disk  space,  processor  time  or  other  resources. 

b.  Possible  defensive  actions  include  blocking  all  incoming  activity  from  the 
source  IP  address/phone  line. 

6.  Unauthorized  Access 


a.  Description.  Entry  into  and  use  of  a  system  by  an  unauthorized  individual. 

b.  Possible  defensive  actions  include  changing  passwords;  blocking  all 
access  from  the  source  IP  address;  freezing/eliminating  compromised,  infrequently  used, 
or  historically  dormant  user  accounts. 

7.  Data  Browsing 

a.  Description.  Unauthorized  reading,  capturing  and/or  downloading  of 
information  stored  on  or  transmitted  over  a  network. 

b.  Possible  defensive  actions  for  stored  information  include:  encrypt 
files/directories;  generate  dummy  files  to  confuse  browsers;  hide  and/or  rename  key  files 


74 


or  directories;  transfer  sensitive  files  from  servers  to  auxiliary  storage  media;  tag 
potential  target  files. 


c.  Possible  defensive  actions  for  transmitted  information  include  point-to- 
point  encryption,  flooding  transmission  lines  with  useless  information,  employing 
COMSEC  procedures  (limit  traffic,  use  codes),  using  cover  accounts. 

8.  Data  Corruption 

a.  Description.  Unauthorized  modification  of  the  contents  of  a  file,  database, 
or  transmission.  Ranges  from  subtle  alterations  that  may  not  be  noticed  to  complete 
destruction  of  the  information,  rendering  the  file,  database,  or  transmission  unusable. 

b.  Possible  defensive  actions  include  resetting  file/directory  access  controls; 
backing  up  key  verifiable  files  onto  CD-ROM;  using  back-up  files;  storing  key 
files/databases  on  removable  storage  media;  employing  checksums,  signature  files,  and 
file  tagging;  developing  a  counter-deception  plan. 

9.  Malicious  Logic 

a.  Description.  Hardware,  software,  or  firmware  intentionally  inserted  into 
an  information  system  for  an  unauthorized  purpose  (e.g..  Virus  and  Trojan  horse). 

b.  Possible  defensive  actions  include  updating  virus  signature  files  and 
running  appropriate  virus  detection/eradication  software  (if  virus  is  known);  checking  all 
systems  and  signature  files  for  unauthorized  files  or  changes  to  files;  removing  user- 
specific,  nonstandard  applications;  removing  intranet  web  pages  containing  executable 
code  fragments;  disabling  user-installed  documents/templates  containing  macros. 
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APPENDIX  C  -  FACTORS  INFLUENCING  THE  INFOCON 


When  determining  the  appropriate  defensive  posture,  many  factors  must  be 
considered.  This  appendix  lists  several  factors  that  commanders  should  consider  when 
determining  the  INFOCON.  (Note:  This  list  is  offered  as  broad  guidance;  other  factors 
may  be  considered  also.) 

a.  CNA-WATCHCON  and  threat  warning  assessments  (reference  b). 
Paragraph  9  and  reference  b  provide  more  information  on  CNA-WATCHCONs.  Also, 
other  threat-warning  assessments  may  be  considered  when  determining  the  INFOCON. 

b.  Other  indications  &  warning  (including  domestic  threats).  NS  A  IPC 
Alerts;  National  Infrastructure  Protection  Center  (NIPC)  advisories,  threats,  warnings; 
Service  law  enforcement  agency  intrusion  reports,  etc. 

c.  CNA  intelligence  assessment.  (See  Annex  A  for  sample  format).  This 
report  provides  a  fused  intelligence  assessment  of  the  attack.  US  intelligence 
organizations  work  within  legal  restrictions  on  collecting  and  retaining  information  on 
US  persons,  lAW  Executive  Order  12333  and  implementing  DOD  and  Service 
regulations.  Intelligence  personnel  will  ensure  mission  accomplishment  and  compliance 
with  relevant  intelligence  law  by  coordinating  closely  with  law  enforcement  personnel. 
In  the  event  that  a  CNA  assessment  leads  intelligence  personnel  to  US  person 
information  which  they  are  legally  prevented  from  pursuing  further,  they  will  transfer  the 
matter  to  appropriate  law  enforcement  organization,  who  will  then  produce  a  similar 
CNA  assessment  report,  sanitized  to  protect  law  enforcement-sensitive  information. 

d.  Conventional  WATCHCON.  Conventional  warnings  on  actors  with  CNA 
capability  may  suggest  an  increased  risk  of  CNA  from  those  actors. 

e.  Current  world  situation.  Increased  tensions  with  a  nation  possessing  CNA 
capability  may  precede  CNA  operations  against  us. 

f.  Other  alert  systems  such  as  DEFCON,  THREATCON,  etc.  Reference  d, 
paragraph  9,  and  local  security  procedures  discuss  various  alert  systems.  Local 
commanders  must  determine  if  a  change  in  one  alert  status  will  cause  a  corresponding 
change  in  another  alert  status. 

g.  Current/planned  military  operations.  The  operational  context  within 
which  an  event  occurs  is  critical  to  determining  the  appropriate  level  of  response.  Any 
contingencies,  crisis  actions,  exercises,  or  other  operations  a  unit  is  supporting  or 
projected  to  support  must  be  considered  when  determining  the  INEOCON. 

h.  Dependence  of  military  functions  upon  particular  information  systems. 
Applications  directly  supporting  military  functions  (i.e.,  command  and  control; 
intelligence,  surveillance,  and  reconnaissance;  movement  and  maneuver;  fires;  and 


77 


sustainment)  may  be  predominantly  resident  on  a  single  network  or  system.  For 
example,  the  Global  Transportation  Network  (GTN)  is  an  NIPRNET-based  application. 
If  NIPRNET  is  the  affected  system,  GTN  and  consequently  the  sustainment  function  may 
be  adversely  impacted.  This  type  of  analysis  may  suggest  the  degree  to  which  a 
particular  network,  system,  application  or  database  is  mission  critical. 

i.  Commander’s  assessment  of  mission-critical  information  system 
readiness.  Conceptually  similar  to  ‘status  of  resources  and  training  system’  (sorts). 
Commanders  may  base  unit  ability  to  accomplish  the  mission  in  part  on  the  readiness  of 
unit  computer  networks  and  systems.  This  readiness  may  be  determined  from  the 
networks’  security  posture,  vulnerability,  extent  of  compromise,  etc. 

j.  Information  Assurance  Vulnerability  Alert  (lAVA)  bulletins.  See 
reference  a  for  format  and  explanation. 

k.  Incident  reports.  These  are  roughly  analogous  to  tactical  waming/attack 
assessment.  See  reference  a  for  format  and  explanation. 

l.  Trend  analyses.  Reports  showing  number,  type,  and  frequency  of  attacks; 
systems  targeted;  hot  IP  addresses,  etc.  See  reference  a  for  format  and  explanation. 

m.  Technical  impact  assessment.  This  information  may  be  included  in  an 
incident  report,  or  may  result  from  follow-on  analysis.  This  assessment  may  include  the 
extent  of  system  compromise  and/or  disruption  and  the  degree  to  which  system 
confidentiality,  integrity,  availability,  authentication,  and  non-repudiation  have  been 
affected.  See  reference  a  for  an  explanation  of  these  terms. 

n.  Operational  impact  assessment— a  key  element  in  determining  the 
INEOCON.  (See  Appendix  D  for  procedures.)  The  process  for  assessing  operational 
impact  also  lays  the  groundwork  for  executing  preventive  measures,  developing 
workarounds,  and  establishing  restoration  priorities. 

0.  Commander’s  assessment  of  the  potential  for  an  information  attack. 
Although  much  objective  data  is  available  on  which  to  base  the  decision,  the  final 
judgment  for  declaring  an  INFOCON  change  rests  with  the  commander.  Objective 
assessment  of  the  situation  and  prudent  analysis  of  all  available  information  must  be 
integrated  with  the  commander’s  experience  and  leadership  to  determine  the 
organization’s  appropriate  defensive  posture. 
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ANNEX  A  TO  APPENDIX  C 

CNA  INTELLIGENCE  ASSESSMENT  SAMPLE  FORMAT 

1 .  Reference.  CNA  incident  source  reports  (include  originating  agency, 
message  DIG). 

2.  Executive  Summary.  Between  1  and  4  sentences  summarizing  significant 
elements  of  report. 

3.  Incident  Summary.  The  following  information  is  available  from  incident 
reports  (reference  a)  and  is  included  as  background  in  this  section  of  the  intelligence 
assessment  report; 

a.  Time  and  duration  of  incident. 

b.  CNA  technique  employed. 

c.  Path  of  attack/identification  and  location  of  origin  of  attack. 

d.  Location  of  system/network  targeted. 

e.  Unit  subordination  of  system/network  targeted. 

f.  Mission  of  system/network  targeted. 

g.  Actual  impact  of  attack. 

h.  Potential  impact  of  attack. 

4.  Intelligence  Assessment.  Consistent  with  intelligence  law  restrictions  on  the 
collection  of  US  person  information,  the  following  information  will  be  generated  by 
intelligence  analysts  and  included  in  this  section  of  the  intelligence  assessment  report: 

a.  Assessed  source  of  attack.  (Who  did  it?  A  certain  terrorist  group, 
government,  or  sub-organization  defined  to  the  best  extent  possible.) 

b.  Assessed  type  of  attack.  (What  did  they  do?  How?  Provide  simple 
explanation  of  the  technical  basis  of  the  attack  technique  or  tools  from  the  perspective  of 
insights  into  adversary  capabilities.) 

c.  Assessed  motivation  of  attack.  (Why  did  they  do  it?  Collect  intelligence, 
implant  malicious  logic,  harass/distract,  disrupt  operations,  etc.) 

d.  Supporting  analysis  for  both  of  the  above  assessments.  (In  addition  to  the 
logical  inferences  based  on  the  current  situation,  background  data  should  be  provided — 
known  CNA  organizations,  past  practices,  doctrine,  etc.) 

e.  Contextual  data  on  the  situation.  (What  else  is  going  on  other  than  CNA 
that  is  potentially  relevant  to  the  current  situation?) 

f.  Follow-on  projection.  (What  can  we  expect  next  from  the  perpetrator? 
What  about  use  of  the  particular  CNA  technique  by  others?) 
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APPENDIX  D  -  OPERATIONAL  IMPACT  ASSESSMENT 


1 .  Assessing  the  impaet  of  CNA  on  our  ability  to  eonduet  military  operations  is 
key  to  eondueting  damage  assessment,  prioritizing  response  aetions,  and  assisting  in 
identifying  possible  adversaries.  This  appendix  offers  an  operational  impaet  assessment 
proeess  that  may  be  used  when  reporting  ehanges  in  INFOCON.  Note:  assessment 
results  are  elassified  SECRET  at  a  minimum.  The  assessment  proeess  itself  is 
unelassified. 

2.  Prior  to  an  attaek: 

a.  Identify  all  eritieal  information  systems. 

b.  Eor  eaeh  eritieal  information  system,  identify  all  resident  eritieal 
applieations  and  databases. 

e.  Determine  whieh  military  funetions  are  supported  by  eaeh 
applieation/database:  eommand  and  eontrol;  intelligenee,  surveillanee,  and 
reeonnaissanee;  movement  and  maneuver;  fires;  sustainment;  and  proteetion. 

3.  After  an  attaek  or  attempted  attaek  has  been  deteeted: 

a.  Identify  all  eritieal  information  systems  targeted. 

b.  Eist  operations  the  unit  is  eurrently  supporting  or  projeeted  to  support  in 
the  near  future. 


e.  Eor  eaeh  information  system  targeted,  determine  the  teehnieal  impaet,  i.e., 
to  what  degree  are  eonfidentiality,  integrity,  availability,  authentieation,  and  non¬ 
repudiation  affeeted?  What  eritieal  applieations  and  databases  are  impaeted? 

d.  Eor  the  teehnieal  impaets  identified,  estimate  the  time  and  resourees 
required  to  restore  funetionality.  Identify  any  interim  workarounds. 

e.  How  does  the  teehnieal  impaet  of  the  attack  affect  the  unit’s  ability  to 

function? 


f.  How  does  the  impact  to  the  unit’s  ability  to  function  affect  support  to 
current/projected  operations?  If  no  specific  operations  are  ongoing  or  projected,  how  is 
general  capability/readiness  affected? 
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APPENDIX  E  -  REFERENCES 


a.  CJCSI  6510.01b,  Defensive  Information  Operations  Implementation 

b.  DIA  message  QIMIIt.  JUN  98,  Indications  and  Warning  for  Information 
Warfare/Information  Operations  {CNA-WATCHCON} 

e.  DODI  3600.2,  Classifieation  Guidance  for  Information  Operations 

d.  CJCSM  3402.01 A,  Alert  System  of  the  Chairman  of  the  Joint  Chiefs  of 

Staff 

e.  CJCSI  6900. OlA,  Telecommunications  Economy  and  Discipline 
f  DODD  3020.26,  Continuity  of  Operations,  Policies  and  Planning 
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APPENDIX  D  -  FPCON  (SOURCE  JOOl) 


The  terrorist  force  protection  conditions,  FPCONs,  outlined  below  describe  the 
progressive  level  of  a  terrorist  threat  to  all  US  military  facilities  and  personnel  under 
DOD  Directive  0-2000.12.  As  approved  by  the  Chairman  of  the  Joint  Chiefs  of  Staff,  the 
terminology  and  definitions  are  recommended  security  measures  designed  to  ease  inter- 
Service  coordination  and  support  of  US  military  antiterrorism  activities.  The  purpose  of 
the  FPCON  system  is  accessibility  to,  and  easy  dissemination  of,  appropriate  information. 
The  DOD  Directive  0-2000.12  recommended  measures  are: 

•  FPCON  NORMAL  exists  when  a  general  threat  of  possible  terrorist  activity  exists 
but  warrants  only  a  routine  security  posture. 

•  FPCON  ALPHA  applies  when  there  is  a  general  threat  of  possible  terrorist  activity 
against  personnel  and  facilities,  the  nature  and  extent  of  which  are  unpredictable,  and 
circumstances  do  not  justify  full  implementation  of  FPCON  BRAVO  measures. 
However,  it  may  be  necessary  to  implement  certain  measures  from  higher  FPCONs 
resulting  from  intelligence  received  or  as  a  deterrent.  The  measures  in  this  FPCON 
must  be  capable  of  being  maintained  indefinitely. 

•  Measure  1.  At  regular  intervals,  remind  all  personnel  and  dependents  to  be 
suspicious  and  inquisitive  about  strangers,  particularly  those  carrying 
suitcases  or  other  containers.  Watch  for  unidentified  vehicles  on  or  in  the 
vicinity  of  US  installations.  Watch  for  abandoned  parcels  or  suitcases  and  any 
unusual  activity. 

•  Measure  2.  The  duty  officer  or  personnel  with  access  to  building  plans  as  well 
as  the  plans  for  area  evacuations  must  be  available  at  all  times.  Key  personnel 
should  be  able  to  seal  off  an  area  immediately.  Key  personnel  required  to 
implement  security  plans  should  be  on-call  and  readily  available. 

•  Measure  3.  Secure  buildings,  rooms,  and  storage  areas  not  in  regular  use. 

•  Measure  4.  Increase  security  spot  checks  of  vehicles  and  persons  entering  the 
installation  and  unclassified  areas  under  the  jurisdiction  of  the  United  States. 

•  Measure  5.  Limit  access  points  for  vehicles  and  personnel  commensurate  with 
a  reasonable  flow  of  traffic. 

•  Measure  6.  As  a  deterrent,  apply  measures  14,  15,  17,  or  18  from  FPCON 
BRAVO  either  individually  or  in  combination  with  each  other. 

•  Measure  7.  Review  all  plans,  orders,  personnel  details,  and  logistic 
requirements  related  to  the  introduction  of  higher  THREATCONs. 

•  Measure  8.  Review  and  implement  security  measures  for  high-risk  personnel 
as  appropriate. 

•  Measure  9.  As  appropriate,  consult  local  authorities  on  the  threat  and  mutual 
antiterrorism  measures. 

•  FPCON  BRAVO  applies  when  an  increased  and  more  predictable  threat  of  terrorist 
activity  exists.  The  measures  in  this  FPCON  must  be  capable  of  being  maintained  for 
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weeks  without  eausing  undue  hardship,  affeeting  operational  capability,  and 
aggravating  relations  with  local  authorities. 

•  Measure  1 1 .  Repeat  measure  1  and  warn  personnel  of  any  other  potential  form 
of  terrorist  attack. 

•  Measure  12.  Keep  all  personnel  involved  in  implementing  antiterrorist 
contingency  plans  on  call. 

•  Measure  13.  Check  plans  for  implementation  of  the  next  FPCON. 

•  Measure  14.  Move  cars  and  objects  (e.g.,  crates,  trash  containers)  at  least  25 
meters  from  buildings,  particularly  buildings  of  a  sensitive  or  prestigious 
nature.  Consider  centralized  parking. 

•  Measure  15.  Secure  and  regularly  inspect  all  buildings,  rooms,  and  storage 
areas  not  in  regular  use. 

•  Measure  16.  At  the  beginning  and  end  of  each  workday,  as  well  as  at  other 
regular  and  frequent  intervals,  inspect  the  interior  and  exterior  of  buildings  in 
regular  use  for  suspicious  packages. 

•  Measure  17.  Examine  mail  (above  the  regular  examination  process)  for  letter 
or  parcel  bombs. 

•  Measure  18.  Check  all  deliveries  to  messes,  clubs,  etc.  Advise  dependents  to 
check  home  deliveries. 

•  Measure  19.  Increase  surveillance  of  domestic  accommodations,  schools, 
messes,  clubs,  and  other  soft  targets  to  improve  deterrence  and  defense,  and  to 
build  confidence  among  staff  and  dependents. 

•  Measure  20.  Make  staff  and  dependents  aware  of  the  general  situation  in  order 
to  stop  rumors  and  prevent  unnecessary  alarm. 

•  Measure  21.  At  an  early  stage,  inform  members  of  local  security  committees 
of  actions  being  taken.  Explain  reasons  for  actions. 

•  Measure  22.  Physically  inspect  visitors  and  randomly  inspect  their  suitcases, 
parcels,  and  other  containers.  Identify  the  visitor's  destination.  Ensure  that 
proper  dignity  is  maintained,  and  if  possible,  ensure  that  female  visitors  are 
inspected  only  by  a  female  qualified  to  conduct  physical  inspections. 

•  Measure  23.  Operate  random  patrols  to  check  vehicles,  people,  and  buildings. 

•  Measure  24.  Protect  off-base  military  personnel  and  military  vehicles  in 
accordance  with  prepared  plans.  Remind  drivers  to  lock  vehicles  and  check 
vehicles  before  entering  or  exiting  the  vehicle. 

•  Measure  25.  Implement  additional  security  measures  for  high-risk  personnel 
as  appropriate. 

•  Measure  26.  Brief  personnel  who  may  augment  guard  forces  on  the  use  of 
deadly  force.  Ensure  that  there  is  no  misunderstanding  of  these  instructions. 

•  Measures  27.  As  appropriate,  consult  local  authorities  on  the  threat  and 
mutual  antiterrorism  measures. 

•  FPCON  CHARLIE  applies  when  an  incident  occurs  or  intelligence  is  received 
indicating  some  form  of  terrorist  action  against  personnel  and  facilities  is  imminent. 
Implementation  of  measures  in  this  EPCON  for  more  than  a  short  period  probably 
will  create  hardship  and  affect  the  peacetime  activities  of  the  unit  and  its  personnel. 
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•  Measure  30.  Continue,  or  introduce,  all  measures  listed  in  FPCON  BRAVO. 

•  Measure  31.  Keep  all  personnel  responsible  for  implementing  antiterrorist 
plans  at  their  places  of  duty. 

•  Measure  32.  Limit  access  points  to  the  absolute  minimum. 

•  Measure  33.  Strictly  enforce  control  of  entry.  Randomly  search  vehicles. 

•  Measure  34.  Enforce  centralized  parking  of  vehicles  away  from  sensitive 
buildings. 

•  Measure  35.  Issue  weapons  to  guards.  Local  orders  should  include  specific 
orders  on  issue  of  ammunition. 

•  Measure  36.  Increase  patrolling  of  the  installation. 

•  Measure  37.  Protect  all  designated  vulnerable  points.  Give  special  attention  to 
vulnerable  points  outside  the  military  establishment. 

•  Measure  38.  Erect  barriers  and  obstacles  to  control  traffic  flow. 

•  Measure  39.  Consult  local  authorities  about  closing  public  (and  military) 
roads  and  facilities  that  might  make  sites  more  vulnerable  to  attacks. 

•  FPCON  DELTA  applies  in  the  immediate  area  where  a  terrorist  attack  has  occurred 
or  when  intelligence  has  been  received  that  terrorist  action  against  a  specific  location 
or  person  is  likely.  Normally,  this  EPCON  is  declared  as  a  localized  condition. 

•  Measure  41.  Continue,  or  introduce,  all  measures  listed  for  EPCONs  BRAVO 
and  CHARLIE. 

•  Measure  42.  Augment  guards  as  necessary. 

•  Measure  43.  Identify  all  vehicles  within  operational  or  mission-support  areas. 

•  Measure  44.  Search  all  vehicles  and  their  contents  before  allowing  entrance  to 
the  installation. 

•  Measure  45.  Control  access  and  implement  positive  identification  of  all 
personnel— no  exceptions. 

•  Measure  46.  Search  all  suitcases,  briefcases,  packages;  etc.,  brought  into  the 
installation. 

•  Measure  47.  Control  access  to  all  areas  under  the  jurisdiction  of  the  United 
States. 

•  Measure  48.  Make  frequent  checks  of  the  exterior  of  buildings  and  of  parking 
areas. 

•  Measure  49.  Minimize  all  administrative  journeys  and  visits. 

Measure  50.  Coordinate  the  possible  closing  of  public  and  military  roads  and 
facilities  with  local  authorities. 
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APPENDIX  E  -  HOMELAND  SECURITY  PRESIDENTIAL 
DIRECTIVE  -  3  (SOURCE  WHOl) 


Homeland  Security  Presidential  Directive-3 

Purpose 

The  Nation  requires  a  Homeland  Security  Advisory  System  to  provide  a 
comprehensive  and  effective  means  to  disseminate  information  regarding  the 
risk  of  terrorist  acts  to  Federal,  State,  and  local  authorities  and  to  the  American 
people.  Such  a  system  would  provide  warnings  in  the  form  of  a  set  of  graduated 
"Threat  Conditions"  that  would  increase  as  the  risk  of  the  threat  increases.  At 
each  Threat  Condition,  Federal  departments  and  agencies  would  implement  a 
corresponding  set  of  "Protective  Measures"  to  further  reduce  vulnerability  or 
increase  response  capability  during  a  period  of  heightened  alert. 


This  system  is  intended  to  create  a  common  vocabulary,  context,  and  structure 
for  an  ongoing  national  discussion  about  the  nature  of  the  threats  that  confront 
the  homeland  and  the  appropriate  measures  that  should  be  taken  in  response. 

It  seeks  to  inform  and  facilitate  decisions  appropriate  to  different  levels  of 
government  and  to  private  citizens  at  home  and  at  work. 

Homeland  Security  Advisory  System 

The  Homeland  Security  Advisory  System  shall  be  binding  on  the  executive  branch  and 
suggested,  although  voluntary,  to  other  levels  of  government  and  the  private  sector.  There  are 
five  Threat  Conditions,  each  identified  by  a  description  and  corresponding  color.  From  lowest  to 
highest,  the  levels  and  colors  are: 

Low  =  Green; 

Guarded  =  Blue; 

Elevated  =  Yellow; 

High  =  Orange; 

Severe  =  Red. 

The  higher  the  Threat  Condition,  the  greater  the  risk  of  a  terrorist  attack.  Risk  includes  both  the 
probability  of  an  attack  occurring  and  its  potential  gravity.  Threat  Conditions  shall  be  assigned  by 
the  Attorney  General  in  consultation  with  the  Assistant  to  the  President  for  Homeland  Security. 
Except  in  exigent  circumstances,  the  Attorney  General  shall  seek  the  views  of  the  appropriate 
Homeland  Security  Principals  or  their  subordinates,  and  other  parties  as  appropriate,  on  the 
Threat  Condition  to  be  assigned.  Threat  Conditions  may  be  assigned  for  the  entire  Nation,  or  they 
may  be  set  for  a  particular  geographic  area  or  industrial  sector.  Assigned  Threat  Conditions  shall 
be  reviewed  at  regular  intervals  to  determine  whether  adjustments  are  warranted. 

For  facilities,  personnel,  and  operations  inside  the  territorial  United  States,  all  Federal 
departments,  agencies,  and  offices  other  than  military  facilities  shall  conform  their  existing  threat 
advisory  systems  to  this  system  and  henceforth  administer  their  systems  consistent  with  the 
determination  of  the  Attorney  General  with  regard  to  the  Threat  Condition  in  effect. 
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The  assignment  of  a  Threat  Condition  shall  prompt  the  implementation  of  an  appropriate  set  of 
Protective  Measures.  Protective  Measures  are  the  specific  steps  an  organization  shall  take  to 
reduce  its  vulnerability  or  increase  its  ability  to  respond  during  a  period  of  heightened  alert.  The 
authority  to  craft  and  implement  Protective  Measures  rests  with  the  Federal  departments  and 
agencies.  It  is  recognized  that  departments  and  agencies  may  have  several  preplanned  sets  of 
responses  to  a  particular  Threat  Condition  to  facilitate  a  rapid,  appropriate,  and  tailored  response. 
Department  and  agency  heads  are  respon-sible  for  developing  their  own  Protective  Measures 
and  other  antiterrorism  or  self-protection  and  continuity  plans,  and  resourcing,  rehearsing, 
documenting,  and  maintaining  these  plans.  Likewise,  they  retain  the  authority  to  respond,  as 
necessary,  to  risks,  threats,  incidents,  or  events  at  facilities  within  the  specific  jurisdiction  of  their 
department  or  agency,  and,  as  authorized  by  law,  to  direct  agencies  and  industries  to  implement 
their  own  Protective  Measures.  They  shall  continue  to  be  responsible  for  taking  all  appropriate 
proactive  steps  to  reduce  the  vulnerability  of  their  personnel  and  facilities  to  terrorist  attack. 
Federal  department  and  agency  heads  shall  submit  an  annual  written  report  to  the  President, 
through  the  Assistant  to  the  President  for  Homeland  Security,  describing  the  steps  they  have 
taken  to  develop  and  implement  appropriate  Protective  Measures  for  each  Threat  Condition. 
Governors,  mayors,  and  the  leaders  of  other  organizations  are  encouraged  to  conduct  a  similar 
review  of  their  organizations=  Protective  Measures. 

The  decision  whether  to  publicly  announce  Threat  Conditions  shall  be  made  on  a  case-by-case 
basis  by  the  Attorney  General  in  consultation  with  the  Assistant  to  the  President  for  Homeland 
Security.  Every  effort  shall  be  made  to  share  as  much  information  regarding  the  threat  as 
possible,  consistent  with  the  safety  of  the  Nation.  The  Attorney  General  shall  ensure,  consistent 
with  the  safety  of  the  Nation,  that  State  and  local  government  officials  and  law  enforcement 
authorities  are  provided  the  most  relevant  and  timely  information.  The  Attorney  General  shall  be 
responsible  for  identifying  any  other  information  developed  in  the  threat  assessment  process  that 
would  be  useful  to  State  and  local  officials  and  others  and  conveying  it  to  them  as  permitted 
consistent  with  the  constraints  of  classification.  The  Attorney  General  shall  establish  a  process 
and  a  system  for  conveying  relevant  information  to  Federal,  State,  and  local  government  officials, 
law  enforcement  authorities,  and  the  private  sector  expeditiously. 

The  Director  of  Central  Intelligence  and  the  Attorney  General  shall  ensure  that  a  continuous  and 
timely  flow  of  integrated  threat  assessments  and  reports  is  provided  to  the  President,  the  Vice 
President,  Assistant  to  the  President  and  Chief  of  Staff,  the  Assistant  to  the  President  for 
Homeland  Security,  and  the  Assistant  to  the  President  for  National  Security  Affairs.  Whenever 
possible  and  practicable,  these  integrated  threat  assessments  and  reports  shall  be  reviewed  and 
commented  upon  by  the  wider  interagency  community. 

A  decision  on  which  Threat  Condition  to  assign  shall  integrate  a  variety  of  considerations.  This 
integration  will  rely  on  qualitative  assessment,  not  quantitative  calculation.  Higher  Threat 
Conditions  indicate  greater  risk  of  a  terrorist  act,  with  risk  including  both  probability  and  gravity. 
Despite  best  efforts,  there  can  be  no  guarantee  that,  at  any  given  Threat  Condition,  a  terrorist 
attack  will  not  occur.  An  initial  and  important  factor  is  the  quality  of  the  threat  information  itself. 
The  evaluation  of  this  threat  information  shall  include,  but  not  be  limited  to,  the  following  factors: 

1 .  To  what  degree  is  the  threat  information  credible? 

2.  To  what  degree  is  the  threat  information  corroborated? 

3.  To  what  degree  is  the  threat  specific  and/or  imminent? 

4.  How  grave  are  the  potential  consequences  of  the  threat? 

Threat  Conditions  and  Associated  Protective  Measures 
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The  world  has  changed  since  September  1 1 , 2001 .  We  remain  a  Nation  at  risk  to  terrorist  attacks 
and  will  remain  at  risk  for  the  foreseeable  future.  At  all  Threat  Conditions,  we  must  remain 
vigilant,  prepared,  and  ready  to  deter  terrorist  attacks.  The  following  Threat  Conditions  each 
represent  an  increasing  risk  of  terrorist  attacks.  Beneath  each  Threat  Condition  are  some 
suggested  Protective  Measures,  recognizing  that  the  heads  of  Federal  departments  and  agencies 
are  responsible  for  developing  and  implementing  appropriate  agency-specific  Protective 
Measures: 

1 .  Low  Condition  (Green).  This  condition  is  declared  when  there  is  a  low  risk  of  terrorist 
attacks.  Federal  departments  and  agencies  should  consider  the  following  general 
measures  in  addition  to  the  agency-specific  Protective  Measures  they  develop  and 
implement: 

1 .  Refining  and  exercising  as  appropriate  preplanned  Protective  Measures; 

2.  Ensuring  personnel  receive  proper  training  on  the  Homeland  Security  Advisory 
System  and  specific  preplanned  department  or  agency  Protective  Measures;  and 

3.  Institutionalizing  a  process  to  assure  that  all  facilities  and  regulated  sectors  are 
regularly  assessed  for  vulnerabilities  to  terrorist  attacks,  and  all  reasonable 
measures  are  taken  to  mitigate  these  vulnerabilities. 

2.  Guarded  Condition  (Biue).  This  condition  is  declared  when  there  is  a  general  risk  of 
terrorist  attacks.  In  addition  to  the  Protective  Measures  taken  in  the  previous  Threat 
Condition,  Federal  departments  and  agencies  should  consider  the  following  general 
measures  in  addition  to  the  agency-specific  Protective  Measures  that  they  will  develop 
and  implement: 

1 .  Checking  communications  with  designated  emergency  response  or  command 
locations; 

2.  Reviewing  and  updating  emergency  response  procedures;  and 

3.  Providing  the  public  with  any  information  that  would  strengthen  its  ability  to  act 
appropriately. 

3.  Elevated  Condition  (Yellow).  An  Elevated  Condition  is  declared  when  there  is  a 
significant  risk  of  terrorist  attacks.  In  addition  to  the  Protective  Measures  taken  in  the 
previous  Threat  Conditions,  Federal  departments  and  agencies  should  consider  the 
following  general  measures  in  addition  to  the  Protective  Measures  that  they  will  develop 
and  implement: 

1 .  Increasing  surveillance  of  critical  locations; 

2.  Coordinating  emergency  plans  as  appropriate  with  nearby  jurisdictions; 

3.  Assessing  whether  the  precise  characteristics  of  the  threat  require  the  further 
refinement  of  preplanned  Protective  Measures;  and 

4.  Implementing,  as  appropriate,  contingency  and  emergency  response  plans. 

4.  High  Condition  (Orange).  A  High  Condition  is  declared  when  there  is  a  high  risk  of 
terrorist  attacks.  In  addition  to  the  Protective  Measures  taken  in  the  previous  Threat 
Conditions,  Federal  departments  and  agencies  should  consider  the  following  general 
measures  in  addition  to  the  agency-specific  Protective  Measures  that  they  will  develop 
and  implement: 

1 .  Coordinating  necessary  security  efforts  with  Federal,  State,  and  local  law 
enforcement  agencies  or  any  National  Guard  or  other  appropriate  armed  forces 
organizations; 

2.  Taking  additional  precautions  at  public  events  and  possibly  considering 
alternative  venues  or  even  cancellation; 

3.  Preparing  to  execute  contingency  procedures,  such  as  moving  to  an  alternate 
site  or  dispersing  their  workforce;  and 

4.  Restricting  threatened  facility  access  to  essential  personnel  only. 

5.  Severe  Condition  (Red).  A  Severe  Condition  reflects  a  severe  risk  of  terrorist  attacks. 
Under  most  circumstances,  the  Protective  Measures  for  a  Severe  Condition  are  not 
intended  to  be  sustained  for  substantial  periods  of  time.  In  addition  to  the  Protective 
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Measures  in  the  previous  Threat  Conditions,  Federal  departments  and  agencies  also 
should  consider  the  following  general  measures  in  addition  to  the  agency-specific 
Protective  Measures  that  they  will  develop  and  implement: 

1 .  Increasing  or  redirecting  personnel  to  address  critical  emergency  needs; 

2.  Assigning  emergency  response  personnel  and  pre-posItioning  and  mobilizing 
specially  trained  teams  or  resources; 

3.  Monitoring,  redirecting,  or  constraining  transportation  systems;  and 

4.  Closing  public  and  government  facilities. 

Comment  and  Review  Periods 

The  Attorney  General,  in  consultation  and  coordination  with  the  Assistant  to  the  President  for 
Homeland  Security,  shall,  for  45  days  from  the  date  of  this  directive,  seek  the  views  of 
government  officials  at  all  levels  and  of  public  interest  groups  and  the  private  sector  on  the 
proposed  Homeland  Security  Advisory  System. 

One  hundred  thirty-five  days  from  the  date  of  this  directive  the  Attorney  General,  after 
consultation  and  coordination  with  the  Assistant  to  the  President  for  Homeland  Security,  and 
having  considered  the  views  received  during  the  comment  period,  shall  recommend  to  the 
President  in  writing  proposed  refinements  to  the  Homeland  Security  Advisory  System. 
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APPENDIX  F  -  INFOCON  POLICY  RECOMMENDED  ACTIONS 


Normal 

•  Identify  all  mission  critical  information  and  information  systems  (including 
applications  and  databases)  and  their  operational  importance. 

•  Identify  all  points  of  access  and  their  operational  necessity. 

•  Conduct  periodic  internal  security  reviews. 

•  Ensure  an  effective  password  management  program  is  in  place. 

•  Conduct  education  and  training  for  users,  administrators,  and  management. 

•  Heighten  awareness  of  all  information  system  users  and  administrators. 

•  Confirm  the  existence  of  newly  identified  vulnerabilities  and  install  patches. 

•  Conduct  internal  security  review  on  all  critical  systems. 

•  Review  and  test  higher  level  INFOCON  measures. 

•  Consider  proactive  execution  of  higher  INFOCON  measures. 

Necessary 

•  Conduct  immediate  internal  security  review  on  all  critical  systems. 

•  Confirm  existence  of  newly  identified  vulnerabilities  and  install  patches. 

•  Review  and  test  higher  level  INFOCON  measures. 

•  Consider  proactive  execution  of  higher  INFOCON  measures. 

Critical 

•  Employ  alternative  modes  of  communication  and  disseminate  new  contact 
information. 

•  Review  and  test  higher  level  INFOCON  measures. 

•  Consider  proactive  execution  of  higher  INFOCON  measures. 

Grave 

•  Execute  applicable  portions  of  continuity  of  operations  plan 

•  Disseminate  new  communication  procedures  internally  and  externally. 

•  Execute  procedures  for  ensuring  graceful  degradation  of  information  systems. 

•  Implement  procedures  for  conducting  operations  in  “stand-alone”  mode  or 
manually. 
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APPENDIX  G  -  APACHE  WEB  SERVER  SCRIPT 


#./webserver  normal  |  telnet 
level=$l 
# 

tftp=10.1.2.10 

# 

webserver=10. 1 .2.20 
port=23 

# 

pwd=password 

# 

eeho  open  $  {Webserver}  $  {port} 
sleep  1 
eeho  "root" 
sleep  1 
eeho  ${pwd} 
sleep  1 
# 

eeho  "ed  .." 
sleep  2 
# 

eeho  "./usr/loeal/sbin/apaoheetl  stop" 
sleep  3 
# 

eeho  "tftp  10.1.2.10" 
sleep  1 

eeho  "mode  binary" 
sleep  1 

# 

#get  [hostl:]filel  [host2:]lile2  ...  [hostN:]lileN 

# 

eeho  "get  /home/tftp/webserver/$level.eonf  /usr/loeal/ete/apaehe/httpd.eonf 

# 

sleep  2 
# 

eeho  quit 
sleep  2 
# 

eeho  "./usr/loeal/sbin/apaoheetl  start" 
sleep  5 
eeho  exit 
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APPENDIX  H  -  GATEWAY  ROUTER  CONFIGURATION  FILES 
(SOURCE  CIOl,  FIOl,  KOOl,  NA05,  ROOl,  STOl) 


noACL.txt 

[Disable  following  servers 
no  serviee  top-small-servers 
no  serviee  udp-small-servers 
no  ip  bootp  server 
no  service  linger 
no  ip  http  server 
! 

[Disable  following  services 
no  cdp  run 
no  service  config 
no  ip  source-route 
no  ip  subnet-zero 
! 

[Configure  the  console  and  the  virtual  terminal  lines  ()  to  time  out  a  session 

[Require  a  password  at  login  and  to  allow  only  telnet  traffic. 

line  con  0 

exec-timeout  5  0 

login 

transport  input  telnet 
line  aux  0 
no  exec 

exec-timeout  0  5 
no  login 

transport  input  none 
line  vty  0  4 
exec-timeout  5  0 
login 

transport  input  telnet 
! 

[Configure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  thesis 
! 

[Configure  passwords  for  the  console,  aux,  and  the  virtual  terminal  lines. 

[Use  a  different  password  for  each  line. 

line  con  0 

password  j  ennifer 

line  aux  0 

password  j  ennifer 

line  vty  0  4 

password  j  ennifer 
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! 

!  Provide  protection  for  above  passwords  by  the  following  global  config  cmd. 
service  password-encryption 
! 

! Clear  out  a  previous  acl 
no  access-list  100 
no  access-list  102 
no  access-list  105 
! 

interface  eO 
description  outer 
! 

interface  Ethernet  1 
description  inner 

ip  address  10.1.2.1  255.255.255.0 
! 

line  vty  0  4 
! 

[Enable  the  router’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  router  console 
logging  console  errors 
! 

[disable  logging  to  all  terminal  lines  except  for  the  router  console, 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  errors 
! 

[set  all  log  messages  with  the  same  IP  source  address  of  a  router  interface, 
logging  source-interface  el 
! 

[Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 

Normal.txt 

[Based  on  NSA  60min  Security  Guide 
! 

[Disable  following  servers 
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no  service  tcp-small-servers 
no  service  udp-small-servers 
no  ip  bootp  server 
no  service  finger 
no  ip  http  server 
! 

!  Disable  following  services 
no  cdp  run 
no  service  config 
no  ip  source-route 
no  ip  subnet-zero 
! 

! Configure  the  console  and  the  virtual  terminal  lines  ()  to  time  out  a  session 

! Require  a  password  at  login  and  to  allow  only  telnet  traffic. 

line  con  0 

exec-timeout  5  0 

login 

transport  input  telnet 
line  aux  0 
no  exec 

exec-timeout  0  5 
no  login 

transport  input  none 
line  vty  0  4 
exec-timeout  5  0 
login 

transport  input  telnet 
! 

IConfigure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  thesis 
! 

IConfigure  passwords  for  the  console,  aux,  and  the  virtual  terminal  lines. 

!Use  a  different  password  for  each  line, 
line  con  0 
password  j  ennifer 
line  aux  0 
password  j  ennifer 
line  vty  0  4 
password  j  ennifer 
! 

!  Provide  protection  for  above  passwords  by  the  following  global  config  cmd. 
service  password-encryption 
! 

! Clear  out  a  previous  acl 
no  access-list  100 
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no  access-list  102 
no  access-list  105 

aecess-list  100  permit  ip  10.1.1.0  0.0.0.255  any 
aecess-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

IProteet  the  router  against  the  TCP  SYN  Attack. 

!  denies  anyone  from  any  external  network  from  starting  any  TCP  eonnection 
aecess-list  100  permit  tep  any  10.1.2.0  0.0.0.255  established 
! 

access-list  100  permit  tep  any  10.1.2.0  0.0.0.255 
! 

aeeess-list  100  permit  ip  any  10.1.2.0  0.0.0.255 
! 

lAllow  inbound  to  the  proteeted  network  (e.g., 10. 1.2.0)  only 
!ICMP  message  types:  Eeho  Reply,  Destination  Unreachable 
aecess-list  100  permit  iemp  any  10.1.2.0  0.0.0.255  eeho-reply 
aeeess-list  100  permit  iemp  any  10.1.2.0  0.0.0.255  unreachable 
! 

!  Allow  only  trusted  addresses  to  port  53 
aecess-list  100  permit  tep  host  10.1.2.6  host  0.0. 0.0  eq  53  log 
access-list  100  permit  udp  host  10.1.2.6  host  0.0. 0.0  eq  53  log 
! 

[Provide  IP  address  spoof  protection  for  inbound  traffic  to  protected  network  (e.g. 

10.1.2.0). 

! aecess-list  100  deny  ip  10.1.2.0  0.0.0.255  any  log 
[access-list  100  deny  ip  10.0.0.0  0.255.255.255  any  log 
access-list  100  deny  ip  127.0.0.0  0.255.255.255  any  log 
aecess-list  100  deny  ip  172.16.0.0  0.15.255.255  any  log 
access-list  100  deny  ip  192.168.0.0  0.0.255.255  any  log 
aeeess-list  100  deny  ip  224.0.0.0  15.255.255.255  any  log 
! 

[Bloek  inbound  traceroute  from  a  Unix  eomputer 
aecess-list  100  deny  udp  any  any  range  33434  33534  log 
! 

[Force  the  router  to  log  the  sre  and  dest  ports  for  denied  TCP  and  UDP  traffic, 
access-list  100  deny  udp  any  range  0  65535  any  range  0  65535  log 
aeeess-list  100  deny  tep  any  range  0  65535  any  range  0  65535  log 
! 

aecess-list  100  deny  iemp  any  any  log 
access-list  100  deny  ip  any  any  log 
! 

interfaee  eO 
deseription  outer 
ip  aceess-group  100  in 
! 
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!Set  logging  on  an  extended  IP  aeeess-list  statement 
aeeess-list  102  permit  tep  10.1.2.0  0.0.0.255  any  eq  80 
aeeess-list  102  permit  tep  10.1.2.0  0.0.0.255  any 
! 

[Provide  IP  address  spoof  proteetion  for  outbound  traffie  from  proteeted  network 
(e.g.  10.1.2.0). 

aeeess-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

[allow  outbound  from  the  proteeted  network  (e.g. ,10. 1.2.0)  only 
[ICMP  message  types:  Eeho 

aeeess-list  102  permit  iemp  10.1.2.0  0.0.0.255  any  eeho 
aeeess-list  102  deny  iemp  any  any  log 
aeeess-list  102  deny  ip  any  any  log 
! 

interfaee  Ethernet  1 
deseription  inner 

ip  address  10.1.2.1  255.255.255.0 
ip  aeeess-group  102  in 
! 

[Allow  Telnet  aeeess  from  eertain  eomputers  on  the  proteeted  network  (e.g., 
14.4.4.0)  to  the  router 

[via  an  extended  IP  aeeess-list.  The  administrator  ean  telnet  to  any  interfaee  IP 

address  on  the 

[router. 

aeeess-list  105  permit  tep  10.1.2.0  0.0.0.255  any  eq  23  log 
aeeess-list  105  deny  ip  any  any  log 
line  vty  0  4 
aeeess-elass  105  in 
! 

[Enable  the  router’s  logging  eapability 
logging  on 
! 

[Syslog  level  to  be  sent  to  the  router  eonsole 
logging  eonsole  errors 
! 

[disable  logging  to  all  terminal  lines  exeept  for  the  router  eonsole. 

[no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  errors 
! 

[how  to  set  time  information  for  the  logging  and  debugging. 
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!ntp  server  10.1.2.10 
!ntp  server  10.1.2.10 
!ntp  souree  EthernetO/l 

Iserviee  timestamps  log  date  time  loealtime  show-timezone 
Iserviee  timestamps  debug  datetime  loealtime  show-timezone 
leloek  timezone  EST  -5 
leloek  summer-time  EDT  reeurring 
! 

!set  all  log  messages  with  the  same  IP  souree  address  of  a  router  interfaee. 
logging  souree-interfaee  el 
! 

!Set  the  syslog  faeility  type  in  whieh  log  messages  are  sent 
logging  faeility  loealV 
! 

end 

Necessarv.txt 

IBased  on  NSA  60min  Seeurity  Guide 
! 

[Disable  following  servers 
no  serviee  top-small-servers 
no  serviee  udp-small-servers 
no  ip  bootp  server 
no  serviee  linger 
no  ip  http  server 
! 

[Disable  following  servioes 
no  odp  run 
no  serviee  oonfig 
no  ip  souroe-route 
no  ip  subnet-zero 
! 

[Configure  the  oonsole  and  the  virtual  terminal  lines  ()  to  time  out  a  session 

[Require  a  password  at  login  and  to  allow  only  telnet  traffio. 

line  eon  0 

exeo-timeout  5  0 

login 

transport  input  telnet 
line  aux  0 
no  exeo 

exeo-timeout  0  5 
no  login 

transport  input  none 
line  vty  0  4 
exeo-timeout  5  0 
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login 

transport  input  telnet 
! 

[Configure  the  Enable  Seeret  password,  proteeted  by  a  MD5-based  algorithm, 
enable  seeret  0  thesis 
! 

[Configure  passwords  for  the  console,  aux,  and  the  virtual  terminal  lines. 

[Use  a  different  password  for  each  line, 
line  con  0 
password  j  ennifer 
line  aux  0 
password  j  ennifer 
line  vty  0  4 
password  j  ennifer 
! 

[Provide  protection  for  above  passwords  by  the  following  global  config  cmd. 
service  password-encryption 
! 

[Clear  out  a  previous  acl 
no  access-list  100 
no  access-list  102 
no  access-list  105 

access-list  100  permit  ip  10.1.1.0  0.0.0.255  any 
access-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

[Protect  the  router  against  the  TCP  SYN  Attack. 

[denies  anyone  from  any  external  network  from  starting  any  TCP  connection 
access-list  100  permit  tcp  any  10.1.2.0  0.0.0.255  established 
! 

access-list  100  permit  tcp  any  10.1.2.0  0.0.0.255 
! 

access-list  100  permit  ip  any  10.1.2.0  0.0.0.255 
! 

[Allow  only  trusted  addresses  to  port  53 
access-list  100  permit  tcp  host  10.1.2.6  host  0.0. 0.0  eq  53  log 
access-list  100  permit  udp  host  10.1.2.6  host  0.0. 0.0  eq  53  log 
! 

[Block  all  inbound  icmp 
access-list  100  deny  icmp  any  any  log 
[access-list  100  deny  ip  any  any  log 
! 

[Block  inbound  traceroute  from  a  Unix  computer 
access-list  100  deny  udp  any  any  range  33434  33534  log 
! 

interface  eO 
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description  outer 
ip  access-group  100  in 
! 

!Set  logging  on  an  extended  IP  access-list  statement 
access-list  102  permit  tcp  10.1.2.0  0.0.0.255  any  eq  80 
access-list  102  permit  tcp  10.1.2.0  0.0.0.255  any 
! 

!  Provide  IP  address  spoof  protection  for  outbound  traffic  from  protected  network 
(e.g., 10.1.2.0). 

access-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

IBlock  all  outbound  icmp 
access-list  102  deny  icmp  any  any  log 
! access-list  102  deny  ip  any  any  log 
! 

interface  Ethernet  1 
description  inner 

ip  address  10.1.2.1  255.255.255.0 
ip  access-group  102  in 
! 

lAllow  Telnet  access  from  certain  computers  on  the  protected  network  (e.g., 
14.4.4.0)  to  the  router 

!via  an  extended  IP  access-list.  The  administrator  can  telnet  to  any  interface  IP 
address  on  the 
!  router. 

access-list  105  permit  tcp  10.1.2.0  0.0.0.255  any  eq  23  log 
access-list  105  deny  ip  any  any  log 
line  vty  0  4 
access-class  105  in 
! 

[Enable  the  router’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  router  console 
logging  console  warnings 
! 

[disable  logging  to  all  terminal  lines  except  for  the  router  console, 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  warnings 
! 
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!set  all  log  messages  with  the  same  IP  souree  address  of  a  router  interfaee. 
logging  souree-interfaee  el 
! 

!Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 

Critical.txt 

IBased  on  NSA  60min  Security  Guide 
! 

!  Disable  following  servers 
no  service  tcp-small-servers 
no  service  udp-small-servers 
no  ip  bootp  server 
no  service  linger 
no  ip  http  server 
! 

!  Disable  following  services 
no  cdp  run 
no  service  config 
no  ip  source-route 
no  ip  subnet-zero 
! 

! Configure  the  console  and  the  virtual  terminal  lines  ()  to  time  out  a  session 

! Require  a  password  at  login  and  to  allow  only  telnet  traffic. 

line  con  0 

exec-timeout  5  0 

login 

transport  input  telnet 
line  aux  0 
no  exec 

exec-timeout  0  5 
no  login 

transport  input  none 
line  vty  0  4 
exec-timeout  5  0 
login 

transport  input  telnet 
! 

IConfigure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  thesis 
! 

IConfigure  passwords  for  the  console,  aux,  and  the  virtual  terminal  lines. 

!Use  a  different  password  for  each  line. 
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line  con  0 
password  j  ennifer 
line  aux  0 
password  j  ennifer 
line  vty  0  4 
password  j  ennifer 
! 

!  Provide  protection  for  above  passwords  by  the  following  global  config  cmd. 
service  password-encryption 
! 

! Clear  out  a  previous  acl 
no  access-list  100 
no  access-list  102 
no  access-list  105 

access-list  100  permit  ip  10.1.1.0  0.0.0.255  any 
access-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

! 

! Protect  the  router  against  the  TCP  SYN  Attack. 

!  denies  anyone  from  any  external  network  from  starting  any  TCP  connection 
access-list  100  permit  tcp  any  10.1.2.0  0.0.0.255  established 
! 

access-list  100  permit  tcp  any  10.1.2.0  0.0.0.255 
! 

access-list  100  permit  ip  any  10.1.2.0  0.0.0.255 
! 

! 

!  Allow  only  trusted  addresses  to  port  53 
access-list  100  permit  tcp  host  10.1.2.6  host  0.0. 0.0  eq  53  log 
access-list  100  permit  udp  host  10.1.2.6  host  0.0. 0.0  eq  53  log 
! 

IBlock  all  inbound  icmp 
access-list  100  deny  icmp  any  any  log 
! 

access-list  100  deny  ip  any  any  log 
! 

IBlock  inbound  traceroute  from  a  Unix  computer 
access-list  100  deny  udp  any  any  range  33434  33534  log 
! 

interface  eO 
description  outer 
ip  access-group  100  in 
! 

!Set  logging  on  an  extended  IP  access-list  statement 
access-list  102  permit  tcp  10.1.2.0  0.0.0.255  any  eq  80 
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! 

!  Provide  IP  address  spoof  protection  for  outbound  traffic  from  protected  network 
(e.g., 10.1.2.0). 

access-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

IBlock  all  outbound  icmp 
access-list  102  deny  icmp  any  any  log 
! 

! access-list  102  deny  ip  any  any  log 
! 

interface  Ethernet  1 
description  inner 

ip  address  10.1.2.1  255.255.255.0 
ip  access-group  102  in 
! 

lAllow  Telnet  access  from  certain  computers  on  the  protected  network  (e.g., 
14.4.4.0)  to  the  router 

!via  an  extended  IP  access-list.  The  administrator  can  telnet  to  any  interface  IP 
address  on  the 

Irouter.  However,  the  router  converts  any  interface  IP  address  to  0.0. 0.0. 

!Thus,  the  unusual  destination  IP  address  0.0. 0.0  must  be  used  in  the  access-list, 
access-list  105  permit  tcp  10.1.2.0  0.0.0.255  any  eq  23  log 
access-list  105  deny  ip  any  any  log 
line  vty  0  4 
access-class  105  in 
! 

[Enable  the  router’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  router  console 
logging  console  Notifications 
! 

[disable  logging  to  all  terminal  lines  except  for  the  router  console, 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  Notifications 
! 

[set  all  log  messages  with  the  same  IP  source  address  of  a  router  interface, 
logging  source-interface  el 
! 

[Set  the  syslog  facility  type  in  which  log  messages  are  sent 
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logging  facility  local? 

! 

end 

Grave.txt 

IBased  on  NSA  60min  Security  Guide 
! 

[Disable  following  servers 
no  service  tep-small-servers 
no  serviee  udp-small-servers 
no  ip  bootp  server 
no  service  linger 
no  ip  http  server 
! 

[Disable  following  serviees 
no  edp  run 
no  serviee  config 
no  ip  souree-route 
no  ip  subnet-zero 
! 

[Configure  the  eonsole  and  the  virtual  terminal  lines  ()  to  time  out  a  session 

[Require  a  password  at  login  and  to  allow  only  telnet  traffie. 

line  eon  0 

exee-timeout  5  0 

login 

transport  input  telnet 
line  aux  0 
no  exec 

exec-timeout  0  5 
no  login 

transport  input  none 
line  vty  0  4 
exee-timeout  5  0 
login 

transport  input  telnet 
! 

[Configure  the  Enable  Seeret  password,  proteeted  by  a  MD5-based  algorithm, 
enable  seeret  0  thesis 
! 

[Configure  passwords  for  the  eonsole,  aux,  and  the  virtual  terminal  lines. 

[Use  a  different  password  for  eaeh  line. 

line  eon  0 

password  j  ennifer 

line  aux  0 

password  j  ennifer 
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line  vty  0  4 
password  j  ennifer 
! 

!  Provide  protection  for  above  passwords  by  the  following  global  config  cmd. 
service  password-encryption 
! 

! Clear  out  a  previous  acl 
no  access-list  100 
no  access-list  102 
no  access-list  105 

access-list  100  permit  ip  10.1.1.0  0.0.0.255  any 
access-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

! Permit  only  VPN  port,  which  is  port  336 
access-list  100  permit  tcp  any  any  eq  336 
! 

[Protect  the  router  against  the  TCP  SYN  Attack. 

[denies  anyone  from  any  external  network  from  starting  any  TCP  connection 
access-list  100  permit  tcp  any  10.1.2.0  0.0.0.255  established 
! 

[Block  all  inbound  icmp 
access-list  100  deny  icmp  any  any  log 
! 

access-list  100  deny  ip  any  any  log 
! 

[Block  inbound  traceroute  from  a  Unix  computer 
access-list  100  deny  udp  any  any  range  33434  33534  log 
! 

interface  eO 
description  outer 
ip  access-group  100  in 
! 

[Set  logging  on  an  extended  IP  access-list  statement 
[access-list  102  permit  tcp  10.1.2.0  0.0.0.255  any  eq  80 
! 

[Provide  IP  address  spoof  protection  for  outbound  traffic  from  protected  network 
(e.g.,I0.I.2.0). 

[access-list  102  permit  ip  10.1.2.0  0.0.0.255  any 
! 

[Block  all  outbound  icmp 
access-list  102  deny  icmp  any  any  log 
! 

access-list  102  deny  ip  any  any  log 
! 

interface  Ethernet  1 
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description  inner 

ip  address  10.1.2.1  255.255.255.0 
ip  access-group  102  in 
! 

lAllow  Telnet  access  from  certain  computers  on  the  protected  network  (e.g., 
14.4.4.0)  to  the  router 

!via  an  extended  IP  access-list.  The  administrator  can  telnet  to  any  interface  IP 
address  on  the 

Irouter.  However,  the  router  converts  any  interface  IP  address  to  0.0. 0.0. 

!Thus,  the  unusual  destination  IP  address  0.0. 0.0  must  be  used  in  the  access-list, 
access-list  105  permit  tcp  10.1.2.0  0.0.0.255  any  eq  23  log 
access-list  105  deny  ip  any  any  log 
line  vty  0  4 
access-class  105  in 
! 

[Enable  the  router’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  router  console 
logging  console  informational 
! 

[disable  logging  to  all  terminal  lines  except  for  the  router  console, 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  debugging 
! 

[set  all  log  messages  with  the  same  IP  source  address  of  a  router  interface, 
logging  source-interface  el 
! 

[Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 
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APPENDIX  I  -  MANAGED  SWITCH  CONFIGURATION  FILES 
(SOURCE  CIOl,  FIOl,  KOOl,  NA05,  ROOl,  STOl) 


Normal.txt 

hostname  switch 
! 

IConfigure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  Jennifer 
enable  password  Jennifer 
! 

!need  to  clean  out  prior  config  file 
no  access-list  1 
! 

cdp  timer  200 
cdp  holdtime  160 
cdp  advertise-v2 
cdp  run 
! 

!  specify  machines  to  manage  switch 
access-list  1  permit  10.1.2.0  0.255.255.255 
access-list  1  deny  any 
line  vty  0  4 
access-class  1  in 
! 

! disable  unnecessary  services 
no  ip  http  server 
no  service  pad 
! 

!  interface 
interface  Vlanl 
no  shutdown 

ip  address  10.1.2.2  255.255.255.0 
! 

[Enable  the  switch’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  switchconsole 
logging  console  errors 
! 

[disable  logging  to  all  terminal  lines  except  for  the  switchconsole. 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 

109 


! 

!Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  errors 
! 

!Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 

Necessarv.txt 

hostname  switch 
! 

[Configure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  Jennifer 
enable  password  Jennifer 
! 

[need  to  clean  out  prior  config  file 
no  access-list  1 
! 

no  cdp  timer 
no  cdp  holdtime 
no  cdp  run 
! 

[specify  machines  to  manage  switch 
access-list  1  permit  10.1.2.0  0.0.0.255  log 
access-list  1  deny  any  any  log 
line  vty  0  4 
access-class  1  in 
! 

[disable  unnecessary  services 
no  ip  http  server 
no  service  pad 
! 

[set  gateway  MAC  statically 

[mac-addres-table  static  <gateway  MAC>  vlan  1  interface  faO/1 
! 

[set  static  ARP  entry 

[arp  <gateway  IP>  <gateway  MAC> 

! 

[interface 
interface  Vlanl 
no  shutdown 

ip  address  10.1.2.2  255.255.255.0 
! 

[Enable  the  switch’s  logging  capability 


no 


logging  on 
! 

ISyslog  level  to  be  sent  to  the  switehconsole 
logging  console  warnings 
! 

! disable  logging  to  all  terminal  lines  except  for  the  switehconsole. 
no  logging  monitor 
! 

!Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

!Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  warnings 
! 

!Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 

Critical.txt 

hostname  switch 
! 

IConfigure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  Jennifer 
enable  password  Jennifer 
! 

!need  to  clean  out  prior  config  file 
no  access-list  1 
! 

no  cdp  timer 
no  cdp  holdtime 
no  cdp  run 
! 

!  specify  machines  to  manage  switch 
access-list  1  permit  10.1.2.0  0.0.0.255  log 
access-list  1  deny  any  any  log 
line  vty  0  4 
access-class  1  in 
! 

! disable  unnecessary  services 
no  ip  http  server 
no  service  pad 
! 

!  interface 
interface  Vlanl 
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no  shutdown 

ip  address  10.1.2.2  255.255.255.0 
! 

[Enable  the  switch’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  switchconsole 
logging  console  Notifications 
! 

[disable  logging  to  all  terminal  lines  except  for  the  switchconsole. 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  Notifications 
! 

[Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 

Grave.txt 

hostname  switch 
! 

[Configure  the  Enable  Secret  password,  protected  by  a  MD5-based  algorithm, 
enable  secret  0  Jennifer 
enable  password  Jennifer 
! 

[need  to  clean  out  prior  config  file 
no  access-list  1 
! 

no  cdp  timer 
no  cdp  holdtime 
no  cdp  run 
! 

[specify  machines  to  manage  switch 
access-list  1  permit  10.1.2.0  0.0.0.255  log 
access-list  1  deny  any  any  log 
line  vty  0  4 
access-class  1  in 
! 

[disable  unnecessary  services 
no  ip  http  server 
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no  service  pad 
! 

!  interface 
interface  Vlanl 
no  shutdown 

ip  address  10.1.2.2  255.255.255.0 
! 

[Enable  the  switch’s  logging  capability 
logging  on 
! 

ISyslog  level  to  be  sent  to  the  switchconsole 
logging  console  informational 
! 

[disable  logging  to  all  terminal  lines  except  for  the  switchconsole. 
no  logging  monitor 
! 

[Set  the  IP  address  of  the  log  host 
logging  10.1.2.10 
! 

[Set  the  syslog  level  to  be  sent  to  the  log  host 
logging  trap  Informational 
! 

[Set  the  syslog  facility  type  in  which  log  messages  are  sent 
logging  facility  local? 

! 

end 
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